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A central assumption in quantum key distribution (QKD) is that Eve has no knowledge about 
which rounds will be used for parameter estimation or key distillation. Here we show that this 
assumption is violated for iterative sifting, a sifting procedure that has been employed in many (but 
not all) of the recently suggested QKD protocols in order to increase their efficiency. 

We show that iterative sifting leads to two security issues: (1) some rounds are more likely to 
be key rounds than others, (2) the public communication of past measurement choices changes this 
bias round by round. We analyze these two previously unnoticed problems, present eavesdropping 
strategies that exploit them, and find that the two problems are independent. 

We discuss some sifting protocols in the literature that are immune to these problems. While some 
of these would be inefficient replacements for iterative sifting, we find that the sifting subroutine 
of an asymptotically secure protocol suggested by Lo, Chau and Ardehali [J. CryptoL, 18(2): 133- 
165, 2005], which we call LCA sifting, has an efficiency on par with that of iterative sifting. One 
of our main results is to show that LCA sifting can be adapted to achieve secure sifting in the 
finite-key regime. More precisely, we combine LCA sifting with a certain parameter estimation 
protocol, and we prove the finite-key security of this combination. Hence we propose that LCA 
sifting should replace iterative sifting in future QKD implementations. More generally, we present 
two formal criteria for a sifting protocol that guarantee its finite-key security. Our criteria may 
guide the design of future protocols and inspire a more rigorous QKD analysis, which has neglected 
sifting-related attacks so far. 


INTRODUCTION 

Quantum key distribution (QKD) allows for uncondi¬ 
tionally secure communication between two parties (Alice 
and Bob). A recent breakthrough in the theory of QKD is 
the treatment of finite-key scenarios, pioneered by Ren¬ 
ner and collaborators (see [1], for example). This has 
made QKD theory practically relevant, since the asymp¬ 
totic regime associated with infinitely many exchanged 
quantum signals is an insufficient description of actual ex¬ 
periments. In practice, Alice and Bob have limited time, 
which in turn limits the number of photons they can ex¬ 
change. For example, in satellite-based QKD [2] where, 
say, Bob is on the satellite and Alice is on the ground, the 
time allotted for exchanging quantum signals corresponds 
to the time for the satellite to pass overhead Alice’s labo¬ 
ratory on the ground. Even if such considerations would 
not play a role, the necessity of error correction forces the 
consideration of finite-size QKD because error correcting 
codes operate on blocks of fixed finite length. 

Finite-key analysis attempts to rigorously establish 
the security of finite-size keys extracted from finite raw 
data. A systematic framework for such analysis was de¬ 
veloped by Tomamichel et al. [3] involving the smooth 
entropy formalism. This framework was later extended 
to a decoy-state protocol by Lim et al. [4]. An alterna¬ 
tive framework was developed by Hayashi and collabo¬ 
rators [5, 6]. Other extensions of the finite-key frame¬ 
work include the treatment of device-independency by 
Tomamichel et al. [7], Curty et al. [8] and Lim et al. [9], 
and continuous-variable protocols by Furrer et al. [10] 


and Leverrier [11]. The framework used in the afore¬ 
mentioned works, relying on some fairly technical re¬ 
sults,^ represents the current state-of-the-art in the level 
of mathematical rigor for QKD security proofs. These 
theoretical advances have led to experimental implemen¬ 
tations [12-14] with finite-key analysis. 

For practical reasons, it is important to consider not 
only a protocol’s security but also its efficiency. Ideally 
a protocol should use as little quantum communication 
as possible, for a given length of the final secret key. For 
example, it was noted by Lo, Chau and Ardehali [15] 
that—in the asymptotic regime—protocols with biased 
basis-choice probabilities can dramatically decrease the 
necessary amount of quantum communication per bit of 
the raw key. This is because a bias increases the proba¬ 
bility that Alice and Bob measure in the same basis. As 
a consequence, when Alice and Bob perform the sifting 
step of the protocol, where they discard the outcomes of 
all measurements that have been made in different bases, 
they lose less data (see Figure 2 and the discussion in 
Section IV). 

Some authors have adapted this bias in the basis choice 
in finite-key protocols and combined it with another mea¬ 
sure to further decrease the amount of data that is lost 
through sifting. In the resulting sifting scheme, which we 
call iterative sifting, Alice and Bob announce previous ba¬ 
sis choices while the quantum communication is still in 


^ These results include the uncertainty principle for smooth en¬ 
tropies and the operational meanings of these entropies. 
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process, and they terminate the quantum communication 
as soon as they have collected sufficiently many measure¬ 
ment outcomes in identical bases. This way, less quantum 
communication takes place, while at the same time they 
always make sure that they collect enough data. The im¬ 
plicit assumption here is that the knowledge of previous 
basis choices, but not of upcoming ones, does not help a 
potential eavesdropper. 

As we show in this article, this assumption is wrong. 
Iterative sifting breaks the security proofs that have been 
presented for these protocols. This sifting scheme was 
part of theoretical protocols [3, 4, 8, 9] and has found ex¬ 
perimental implementations [12]. Therefore, many (but 
not all) of the recently suggested protocols in QKD have 
serious security flaws. 

Summary of the results 

The issue with iterative sifting that we point out is as 
follows. Typical QKD protocols involve randomly choos¬ 
ing some rounds to be used for parameter estimation 
(PE) (i.e. testing for the presence of an eavesdropper 
Eve) and other rounds for key generation (KG). Natu¬ 
rally, if Eve knows ahead of time whether a round will be 
used for PE, i.e., if Eve knows which rounds will form the 
sample for testing for an eavesdropper’s presence, then 
she can adjust her attack appropriately and the protocol 
is insecure. Hence a central assumption in the QKD se¬ 
curity analysis is that Eve has no knowledge about the 
sample. We show that this assumption is violated for 
iterative sifting. 

To be more precise, the iterative sifting scheme has 
two problems which, to our knowledge, have been neither 
addressed nor noted in the literature: 

• Non-uniform sampling: The sampling probability, 
due to which the key bits and the encoding basis 
are chosen, is not uniform.^ In other words, there 
is an a priori bias: Eve knows ahead of time that 
some rounds are more likely to end up in the sample 
than others. 

• Basis information leak: Alice and Bob’s public 
communication about their previous basis choices 
(which, in iterative sifting, happens before the 
quantum communication is over) allows Eve to up¬ 
date her knowledge about which of the upcoming 
(qu)bits end up in the sample. As a consequence. 


^ In general, the sampling probability (which decides over which 
of the bits are chosen as test bits) is distinguished from the prob¬ 
ability distribution which decides in which basis the information 
is encrypted. In the literature, however, iterative sifting is com¬ 
bined with parameter estimation in a way such that bits mea¬ 
sured in the X-basis are raw key bits, and bits measured in the 
Z-basis are used for parameter estimation. We will discuss this 
in more detail in the second half of Section I. 


the quantum information that passes the channel 
thereafter can be correlated to this knowledge of 
Eve. 

It is conceivable that these two problems become smaller 
as the size of the exchanged data increases. This would 
remain to be shown. More importantly, however, the 
protocols in question are designed to be secure for finite 
key lengths. In the light of these two problems, the anal¬ 
ysis in the literature does currently not account for these 
finite-size effects. This is not a purely theoretical objec¬ 
tion but a practically very relevant issue, as we present 
some eavesdropping attacks that exploit the problems. 

As we discuss in Section IV, the basis information leak 
can trivially be avoided by fixing the number of rounds in 
advance, and only announcing the basis choices after all 
quantum communication has taken place. We examine 
some sifting protocols from the literature with this prop¬ 
erty. In contrast to protocols that use iterative sifting, 
they often use fresh uniform randomness for the choice 
of the sample, and therefore are trivially sampling uni¬ 
formly. This means that they are secure with respect 
to our concerns. However, we And that there is room for 
improvement over these protocols regarding efficiency as¬ 
pects. 

Concretely, we note that one aspect that makes itera¬ 
tive sifting very efficient is the parameter estimation pro¬ 
tocol that is used with it: after sifting, it simply uses the 
Z-bits as the sample for parameter estimation and the X- 
bits for raw key, which is why we call it the single-basis 
parameter estimation SBPE. This is efficient because the 
sample choice requires no aditional randomness and no 
authenticated communication. While SBPE is insecure 
when used in conjunction with iterative sifting, it turns 
out to be secure when used with a sifting subroutine of 
a protocol suggested by Lo, Chau and Ardehali, which 
we call LCA sifting. The combination of LCA sifting 
and SBPE is essentially as efficient as iterative sifting. It 
has trivially no basis information leak and, as we prove, 
samples uniformly (see 2). We therefore suggest this 
combination in future QKD protocols. 

More generally, we And clear and explicit mathemat¬ 
ical criteria that are sufficient for a sifting protocol to 
be secure in combination with SBPE. In contrast, cur¬ 
rent literature on QKD does not state such assumptions 
explicitly, but rather uses them implicitly. 

In our formulation, they take the form of two equa¬ 
tions, 

Pe(i?) = Pe(i5') {0,l}i and (1) 

PA'B'e' = ® Pei . (2) 

Here, Equation (1) expresses the absence of non-uniform 
sampling, i.e., that the probability Pq^'O) for a parti¬ 
tioning "d of the total rounds into sample rounds and 
key-generation rounds is independent of i?. Equation (2) 
expresses the absence of basis information leak, which 
is formally expressed by stating that the classical com¬ 
munication 0* associated with the sifting process is un¬ 
correlated (i.e., in a tensor product state) with Alice’s 
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and Bob’s quantum systems A^BK (The precise details 
of these two equations will be explained in Section V.) 
We find that the two problems are in fact independent. 
Hence, security from one of the two problems does not 
imply security from the other. The two formal criteria 
can be used to check whether a candidate protocol is 
subject to the two problems or not. 

Outline of the paper 

We introduce the iterative sifting protocol in Section I, 
where we also explain our conventions and notation. We 
give a detailed description of the two problems with it¬ 
erative sifting in Section II. We show how these prob¬ 
lems can be exploited in Section III by presenting some 
intercept-resend attack strategies. 

In Section IV, we discuss some sifting protocols that 
are immune to these problems. We study how ideas of 
existing protocols can be combined to get new secure pro¬ 
tocols that are more efficient. As a result, we suggest the 
aforementioned combination of LCA sifting and SBPE, 
and prove its security. 

In Section V, we give a more general answer to the 
question of how the two problems can be avoided by pre¬ 
senting formal mathematical criteria that a sifting pro¬ 
tocol needs to satisfy in order to avoid the problems. We 
conclude with a summary in Section VI. 

I. ITERATIVE SIFTING AND PARAMETER 
ESTIMATION 

A typical QKD protocol consists of the following sub¬ 
routines [3]: 

(i) Preparation, distribution, measurement and sift¬ 
ing, which we collectively refer to as “sifting”, 

(ii) Parameter estimation, 

(iii) Error correction, 

(iv) Privacy amplification. 

What we discuss in this paper refers to the subroutines 
(i) and (ii), whereas subroutines (iii) and (iv) are not 
of our concern. We refer to subroutine (i) collectively 
as “sifting”. Even though the word sifting usually only 
refers to the process of discarding part of the data ac¬ 
quired in the measurements, we refer to the preparation, 
distribution, measurement and sifting together as “sift¬ 
ing”, because they are intertwined in iterative sifting. 

Our focus in this article is on a particular sifting 
scheme that we call iterative sifting. It has been for¬ 
mulated in slightly different ways in the literature, where 
the differences lie mostly in the choice of the wording and 
in whether it is realized as a prepare-and-measure pro¬ 
tocol [3, 4, 8, 12] or as an entanglement-based protocol 
[9]. These details are irrelevant for the problems that we 


describe. Another difference is that some of the above- 
mentioned references take into consideration that some¬ 
times, a measurement may not take place (no-detection 
event) or may have an inconclusive outcome. This is done 
by adding a third symbol 0 to the set of possible out¬ 
comes, turning the otherwise dichotomic measurements 
into trichotomic ones with symbols {0, 1 , 0 }. We choose 
not to do so, because the problems that we describe arise 
independently of whether no-detection events or incon¬ 
clusive measurements take place. Incorporating them 
would not solve the problems that we address but rather 
complicate things and distract from the main issues that 
we want to point out. 

The essence of the iterative sifting protocol is shown 
in Protocol I. There, and in the rest of the paper, we use 
the notation 

[r] := {1, 2,..., rj for all r € N+. (3) 

Our formulation of this protocol is close to the one de¬ 
scribed in [3], with the main difference that we choose an 
entanglement-based protocol instead of a prepare-and- 
measure protocol. This will have the advantage that the 
formal criteria in Section V are easier to formulate, but a 
prepare-and-measure based protocol would otherwise be 
equally valid to demonstrate our points. 

In the protocol, Alice iteratively prepares qubit pairs in 
a maximally entangled state (Step 1) and sends one half 
of the pair to Bob (Step 2).^ Then, Alice and Bob each 
measure their qubit with respect to a basis ai,bi S {0,1}, 
respectively, where 0 stands for the A-basis and 1 stands 
for the ^-basis (Steps 3 and 4). Thereby, Alice and Bob 
make their basis choice independently, where for each of 
them, 0 (A) is chosen with probability and 1 (Z) with 
probability p^. These probabilities Px and pz are param¬ 
eters of the protocol. The important and problematic 
parts of the protocol are Step 5 and the subsequent check 
of the termination condition (TC): after each measure¬ 
ment, Alice and Bob communicate their basis choice over 
an authenticated classical channel. With this information 
at hand, they then check whether the termination condi¬ 
tion is satisfied: if for at least n of the qubit pairs they 
had so far, they both measured in the A-basis, and for at 
least k of them, they both measured in the Z-basis, the 
termination condition is satisfied and they enter the final 
phase of the protocol by continuing with Step 6. These 
quota n and k are parameters of the protocol. If the con¬ 
dition is not met, they repeat the Steps 1 to 5 (which we 
call the loop phase of the protocol) until they meet this 
condition. Because of this iteration, whose termination 


® Choosing a maximally entangled state as the state that Alice 
prepares maximizes the probability that the correlation test in 
the parameter estimation (after sifting) is passed, i.e. the maxi¬ 
mally entangled state maximizes the robustness of the protocol. 
However, for the security of the protocol, which is the concern of 
the present article, the choice of the state that Alice prepares is 
irrelevant. 
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Iterative Sifting 

Parameters: n,k £ N+ \ Px,Pz £: [0,1] with Px + Pz = 
Output: For I = n + k, the outputs are: 

Alice: 1-bit string £ {0,1}* (sifted outcomes), 

Bob: 1-bit string £ {0,1}* (sifted outcomes), 

public: 1-bit string (i9i)(^i £ {0,1}^ with = k (ba¬ 

sis choices, sifted), where 0 means X-basis and 1 
means Z-basis. 

Number of rounds: Random variable M, determined by 
reaching the termination condition (TC) after Step 5. 


The protocol 

Loop phase: Steps 1 to 5 are iterated roundwise (round in¬ 
dex r = 1,2,...) until the TC after Step 5 is reached. 
Starting with round r — 1, Alice and Bob do: 

Step 1: (Preparation): Alice prepares a qubit pair in a 
maximally entangled state. 

Step 2: (Channel use): Alice uses the quantum channel to 
send half of the qubit pair to Bob. 

Step 3: (Random bit generation): Alice and Bob each (in¬ 
dependently) generate a random classical bit 
and br, respectively, where 0 is generated with 
probability px and 1 with probability pz. 

Step 4: (Measurement): Alice measures her share in the 
X-basis (if Ur = 0) or in the X-basis (if Cr = 
1), and stores the outcome in a classical bit yr- 
Likewise, Bob measures his share in the X-basis 
(if br — 0) or in the X'-basis (if br ~ 1), and stores 
the outcome in a classical bit y'r. 

Step 5: (Interim report): Alice and Bob communicate 
their basis choice ar and br over a public authen¬ 
ticated channel. Then they determine the sets 

u{r) := {j £ [r] \ aj = bj = 0} , 
v{r) ■- {j £ [r] I aj = bj = 1} 

TC: If the condition (|M(r)| > n and |i>(r)| > k) is 
reached, Alice and Bob set m ~ r and proceed 
with Step 6. Otherwise, they increment r by one 
and repeat from Step 1. 

Final phase: The following steps are performed only once: 

Step 6: (Random discarding): Alice and Bob choose a 
subset u C u(m) of size n at random, i.e. each 
subset of size k is equally likely to be chosen. 
Analogously, they choose a subset v C v{m) of 
size k at random. Then they discard the bits a^, 
br, yr and y'r for which r ^ uVJv. 

Step 7: (Order-preserving relabeling): Let ri be the i-th 
element of uUu. Then Alice determines (si)i=i G 
{0,1}*, Bob determines (ti)*^i G {0,1}* and to¬ 
gether they determine (ci)*^i G {0,1}*, where for 
every i £ [1], 

Si — yr^ , ii — yr,^ , i ~ (— br^} • 

Step 8: (Output): Alice [Bob] locally outputs (si)*^i 
and they publicly output (r?i)[^i. 


condition depends on the history^ of the protocol run up 
to that point, we call it the iterative sifting protocol. Its 
number of rounds is a random variable that we denote 
by M. We denote possible values of M by m (see the TC 
and Step 6). 

After the loop phase of the protocol, in which the whole 
data is generated, Alice and Bob enter the final phase 
of the protocol, in which this data is processed. This 
processing consists of discarding data of rounds in which 
Alice and Bob measured in different bases, as well as ran¬ 
domly discarding a surplus of data for rounds where both 
measured in the same basis, where a “surplus” refers to 
having more than n (fc) rounds in which both measured in 
the X (Z) basis, respectively. This discarding of surplus 
is done to simplify the analysis of the protocol, which is 
easier if the number of bits where both measured in the 
X (X) basis is fixed to a number n (k). Since after the 
loop phase, Alice and Bob can end up with more bits 
measured in this same basis, they throw away surplus at 
random. Finally, after throwing away the surplus, Alice 
and Bob locally output the remaining bit strings (si)i=i 
and of measurement outcomes and publicly out¬ 
put the remaining bit string of basis choices. 

Iterative sifting is problematic, but to fully understand 
why, one needs to see how the output of the iterative 
sifting protocol is processed in the subsequent subroutine 
(ii), the parameter estimation, where Alice and Bob check 
for the presence of an eavesdropper. Protocols that use 
iterative sifting use a particular protocol for parameter 
estimation. To make clear what we are talking about, we 
have written it out in Protocol II. 

Alice and Bob start the protocol with the strings 
(■Si)i=ii (^i)i=i (■(?i)*=i that they got from sifting. 

Then, in a first step, they communicate the test bits. 
The test bits are those bits Si, U that resulted from mea¬ 
surements in the X-basis, i.e. the bits Si, ti with i such 
that di = 1. Then, they determine the fraction of the 
test bits that are different for Alice and Bob, i.e. they 
determine the test bit error rate. If it is higher than a 
certain protocol parameter qtoi G [0,1], they abort. Oth¬ 
erwise, they locally output the raw keys, which are the 
bits Si, ti that result from measurements in the X-basis, 
i.e. those Si, U with i for which = 0. 

It is important to emphasize that if the output of it¬ 
erative sifting serves as the input of the parameter es¬ 
timation protocol as in Protocol II, then the bits that 
result from measurements in the X-basis are used for the 
raw key, and the bits that result from measurements in 
the X-basis are used for parameter estimation (i.e. they 
form the sample for the parameter estimation). Hence, 
the sample is determined by the basis choice; no addi¬ 
tional randomness is injected to choose the sample. We 


^ By the history of a protocol run, we mean the record of ev¬ 
erything that happened during the run of the protocol. In the 
case of iterative sifting, this means the random bits Or, br, the 
measurement outcomes yr, y'r etc. 


Protocol I. The iterative sifting protocol. 
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Single-Basis Parameter Estimation (SBPE) 

Protocol Parameters: n,k £ N+, Px,Pz € [0,1] with px -t 
= 1 and qtoi & [0,1]. 

Input: For I = n + k, the inputs are: 

Alice: 1-bit string £ {0,1}* (measurement out¬ 

comes, sifted), 

Bob: 1-bit string £ {0,1}* (measurement out¬ 

comes, sifted), 

public: 1-bit string £ {0,1}* with 'Yhi'^i = k (ba¬ 

sis choices, sifted), where 0 means X-basis and 1 
means Z-basis. 

Output: Either no output (if the protocol aborts in Step 2) 
or: 


used for the raw key and Z-measurements are used for 
paremeter estimation, without injecting additional ran¬ 
domness. 

We will discuss randomness injection for the sample 
choice in more detail in Section IV. 

The idea behind the parameter estimation is the fol¬ 
lowing: if the correlation test passes, then the likelihood 
that Eve knows much about the raw key is sufficiently 
low. The exact statement of this is subtle, and involves 
more details than are necessary for our purposes. We 
refer to [3] for more details. Here, what is important is 
that this estimate of Eve’s knowledge is done via estimat¬ 
ing another probability that we call the tail prohahility 
Ptaii(M) which, for fi £ [0,1], is given by 


Alice: n-bit string £ {0,1}'’ (raw key). 

Bob: n-bit string (®')"^i £ {0,1}" (raw key). 


The protocol 

Step 1: (Test bit communication): Alice and Bob communi¬ 
cate their test bits, i.e. the bits Si and ti with i for 
which ’&i = 1, over a public authenticated channel. 

Step 2: (Correlation test): Alice and Bob determine the test 
bit error rate 

'^test . ^ ^ ^ (B tj) , 

i=l 

where © denotes addition modulo 2, and do the cor¬ 
relation test: if Atest < ?toi, they continue the pro¬ 
tocol and move on to Step 3. If Atest > <Ztoi, they 
abort. 

Step 3: (Raw key output): Let ij be the j-th element of {i £ 
[1] I =0}. Then Alice outputs the n-bit string 
{xj)'j^i and Bob outputs the n-bit string (x})"^i, 
where 


Xj = Si, 


Xi = ti 


Protocol II. The single-basis parameter estimation (SBPE) 
protocol. 


call this the single-basis parameter estimation (SBPE), 
because the parameter estimation is done in only one ba¬ 
sis. 

This is not necessarily a problem by itself. However, 
as we will show in Section II A, in iterative sifting, some 
rounds are more likely to end up in the sample than other 
rounds. This leads to non-uniform sampling, which is a 
problem since uniform sampling is one of the assumptions 
that enter the analysis of the parameter estimation. This 
seems to be unnoticed so far, as we found that protocols 
in the literature that use iterative sifting as a subroutine 
use SBPE as a subroutine for parameter estimation (or 
something equivalent) [3, 4, 8, 9, 12]. In contrast, the 
LCA sifting protocol that we discuss in Section IV does 
sample uniformly, even if bits from X-measurements are 


Ptail(/^) — P[Akey ^ Atest “f \ Atest ^ 9tol] ■ (4) 

Here, Atest is the random variable of the test bit error rate 
Atest determined in the parameter estimation protocol. 


A 


test ■— 


i ^-di(si 0 ti). 
2=1 


( 5 ) 


The random variable A^ey is the random variable of a 
quantity that is not actually measured: it is the random 
variable of the error rate on the raw key bits if they had 
been measured in the Z-basis. Since in the actual proto¬ 
col, the raw key bits have been measured in the X-basis, 
the random variable A^ey is the result of a Gedankenex- 
periment rather than an actually measured quantity. We 
will define A^ey formally in Section V. 

The usual analysis, as in Reference [3], aims at proving 
that 


where 


Ptail(Ai) < 


exp(-2^^M^) 

Ppass 


( 6 ) 


Ppass — P[Atest ^ 9tol] ("f) 

Inequality (6) is turned into an inequality about the 
eavesdropper’s knowledge about the raw key using an 
uncertainty relation for smooth entropies [3, 16]. 


Notation and terminology 

In the following sections, we will have a closer look at 
the probabilities of certain outputs of the iterative sifting 
protocol in Protocol I. For example, in Section HA we 
will consider the probability that iterative sifting with pa¬ 
rameters n = 1, A: = 2 outputs the string d = {'di)i^i = 
(1,1, 0). Since the output of the protocol is probabilistic, 
the output string becomes a random variable. We de¬ 
note random variables by capital letters and their values 
by lower case letters. For example, the random variable 
for the output string d is denoted by 0, and the prob¬ 
ability of the output string to have a certain value d is 
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P[0 = d]. For strings in r? = € {0,1}^ we write 

i'^i)i=i = instead of = (i?i,i?2, ■ • ■, 

i.e. we omit the brackets and commas. For example, 
we write 110 € {0,1}^ instead of (1,1,0) S {0,1}^, 
so the probability that we calculate in Section IIA is 
P[0 = 110]. Other random variables that we consider 
include the random variable Ai (Pi) of Alice’s (Bob’s) 
first basis choice oi (&i) or the random variable M of the 
number m of total rounds performed in the loop phase 
of the iterative sifting protocol. 

To simplify the calculations, it is convenient to in¬ 
troduce the following terminology. For a round r in 
the loop phase of the iterative sifting protocol, r is an 
A-agreement if = 6^ = 0, r is a Z-agreement if 
ar = br = 1 and r is a disagreement if yf br- We 
sometimes say that r is an agreement if it is an X- or a 
Z-agreement. 

For calculations with random variables like 0, Ai, Pi 
or M, the sample space of the relevant underlying prob¬ 
ability space is the set of all possible histories of the it¬ 
erative sifting protocol. This set is hard to model, as it 
contains not only all possible strings {ar)r, (bj.)r, {yr)r 
and {y'^)r of the loop phase (which can be arbitrarily 
long) but also a record of the choice of the subsets u and 
V in the random discarding during the final phase. It is, 
however, not necessary for our calculations to have the 
underlying sample space explicitly written out. In order 
to avoid unnecessarily complicating things, we therefore 
only deal with the relevant events, random variables and 
their probability mass functions directly, assuming that 
the reader understands what probability space they are 
meant to be defined on. In contrast, the LCA sifting pro¬ 
tocol which we discuss in Section IV, has a simpler set 
of histories, and we will derive a probability space model 
for it in Appendix C. 

We often write expressions in terms of probability mass 
functions instead of in terms of probability weights of 
events, e.g. we write 

Pe(^?) :=/"[0 = ^?]. (8) 


II. THE PROBLEMS 
A. Non-uniform sampling 

To show that iterative sifting leads to non-uniform 
sampling, we calculate the sampling probabilities for 
some example parameters k,n G N_|_ as functions of the 
probabilities Px and p^- By a sampling probability, we 
mean the probability that some subset of k of the I = n+k 
bits is used as a sample for the parameter estimation, 
i.e. the sampling probabilities are PeW for r? G {0,1}]., 
where 


(^OLie{o,i}' 


'^i}i = k 


( 9 ) 


is the set of all /-bit strings with Hamming weight k. 
We say that sampling is uniform if Pe(d) is the same 
for all -d G {0,1})., and non-uniform otherwise. While 
non-uniform sampling already arises in the case of the 
smallest possible parameters k = n = 1, the results are 
even more interesting in cases where k ^ n. Let us con¬ 
sider iterative sifting (Protocol I) with n = 1, fc = 2 and 
arbitrary Px,Pz G [0,1]. Let 0 denote the random vari¬ 
able of the string r? = (i?i)i=i = of sifted basis 

choices which is generated by the protocol. The possible 
values of 0 are 110, 101 and 011. The probabilities of 
these strings are given as follows (see Appendix A for a 
proof). 

Proposition 1: For the iterative sifting protocol as in 
Protocol I with n = 1 and k = 2, it holds that 

Pe(llO) = , where ^ . (10) 

pIppI 

For the other two possible values of 0, it holds that 

Pe(Oll) = P0(1O1) = (11) 


Hence, different samples have different probabilities, in 
general. In order for the sampling probability Pq to be 
uniform, in the case where n = 1 and k = 2, we need 
to have Peid) = 1/3 for d = 011,101,110. This holds if 
and only if g^ = gl, where g* = Ij'/S, which in turn is 
equivalent to pz = p*z, where 

(3-k2y3) fl-kA/yS-l') 

PI = ~ 0.539 . (l2) 


This is bad news for iterative sifting: it means that itera¬ 
tive sifting leads to non-uniform sampling for all values of 
Pz except Pz = p*z- Interestingly, the value of p* does not 
seem to be a probability that has been considered in the 
QKD literature. In particular, p* corresponds to neither 
the symmetric case Pz = 1/2 nor to a certain asymmet¬ 
ric probability which has been suggested to be chosen in 
order to maximize the key rate [3]. 

The value gz can be interpreted as the probability that 
in a certain round of the loop phase, Alice and Bob have 
a ^-agreement, given that they have an agreement in 
that round (this conditional is why the p^ is renormal¬ 
ized with the factor l/(p^ PpV})- Hence, g^ is the prob¬ 
ability that Alice and Bob’s first two basis agreements 
are Z-agreements. Therefore, Pe(llO) = gl is what one 
would intuitively expect: to end up with 0 = 110, the 
first two basis agreements need to be Z-agreements, and 
conversely, whenever the first two basis agreements are 
Z-agreements, Alice and Bob end up with 0 = 110. 

More generally, it turns out that for n = 1 and for 
fc G N+ arbitrary, the iterative sifting protocol leads to 


Pe(l.••10)=p^ 


Pe{^) 


1-5 


k 

z 


(13) 

for all other d G {0,1}[.. (14) 


{0, l}i := 


fc 
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This is a uniform probability distribution if and only if 
9z = gl, where 


g 


* 

z 



which is true iff Pz = Pt-i where 

* ^ g*z - \/g*z(^-g*z) 
2gl - 1 


(15) 


(16) 


Hence, we conclnde that iterative sifting does not lead 
to nniformly random sampling, unless Px and pz are cho¬ 
sen in a very particular way. This particular choice does 
not seem to correspond to anything that has been con¬ 
sidered in the literature so far. 


B. Basis information leak 


In iterative sifting, information abont Alice’s and 
Bob’s basis choices reaches Eve in every round of the 
loop phase. In Step 5 of round r, Alice and Bob commu¬ 
nicate their basis choice a^, br of that round. They do so 
becanse they want to condition their npcoming action on 
the strings oi... and bi.. .br'. if they have enough ba¬ 
sis agreements, they quit the loop phase; otherwise they 
keep looping. 

What seems to have remained unnoticed in the litera¬ 
ture is that Eve can also condition her actions on ai... 0 ^. 
and bi... b^- This means that if there is a round r-|-l. Eve 
can correlate the state of the qubit that Alice sends to 
Bob in ronnd r -f 1 with oi ... and bi.. .br- Hence, the 
state of the qubit that Bob measures is correlated with 
the classical register that keeps the information abont 
the basis choice. Note that the basis information leak 
tells Eve how close Alice and Bob are to meeting their 
quotas for each basis. Eve can tailor her attack on future 
rounds based on this information. For example, if Alice 
and Bob have already met their Z-quota, but not their 
A-qnota, then Eve can measure in the A-basis, knowing 
that, if Alice and Bob happen to both measnre Z, the 
round may be discarded anyway. 

We want to emphasize that the basis information leak 
is not resolved by injecting additional randomness for the 
choice of the sample. As we will discnss in Section IV, 
snch additional randomness can ensure that the sampling 
is nniform, bnt it does not help against the basis infor¬ 
mation leak. Randomness injection for the sample is ef¬ 
fectively equivalent to performing a random permutation 
on the qnbits [17]. This does not remove the correlation 
between the classical basis information register and the 
qnbits. 

We will see more concretely how the basis information 
leak is a problem when we present an eavesdropping at¬ 
tack in Section HI A and when we treat the problem more 
formally in Section V. 


III. EAVESDROPPING ATTACKS 

A detailed analysis of the effect of non-uniform sam¬ 
pling and basis information leak on the key rate is beyond 
the scope of the present paper. It wonld involve develop¬ 
ing a new secnrity analysis for a whole protocol involving 
iterative sifting. Instead of attempting to find a modified 
analysis for iterative sifting, we will discnss alternative 
protocols in Section IV. 

However, to give an intuitive idea of the effect, we will 
calculate another figure of merit: the error rate for an 
intercept-resend attack. We devise a strategy for Eve to 
attack the iterative sifting protocol during its loop phase 
and calcnlate the expected valne of the error rate 

1 ^ 

E = (17) 

i=l 

that results from this attack. Here, © denotes addition 
modulo 2 and Si and Ti are the random variables of the 
bits Si and ti, respectively, which are generated by the 
protocol. One wonld typically expect an error rate no 
lower than 25% for an intercept-resend attack [18], which 
is why onr results below are alarming. 


A. Attack on non-uniform sampling 


Let ns first consider an attack on non-uniform sam¬ 
pling, i.e., on the fact that not every possible value of 0 
is equally likely. It will be a particular kind of intercept- 
resend attack, i.e. Eve intercepts all the qubits that Alice 
sends to Bob during the loop phase, measures them in 
some basis and afterwards, prepares another qnbit in the 
eigenstate associated with her ontcome and sends it to 
Bob. Then we will show that the attack strategy leads 
to an error rate below 25%. 

For the error rate calcnlation, we assnme that the X- 
and Z-basis is the same for Alice, Bob and Eve, and 
that they are mutnally unbiased. This way, if Alice and 
Bob measure in the same basis, bnt Eve measures in the 
other basis, then Eve introduces an error probability of 
1/2 on this qubit. Moreover, for simplicity, we make 
this calculation for the easiest possible choice of param¬ 
eters. Consider the iterative sifting iterative sifting pro¬ 
tocol (Protocol I) with the parameters k = n = 1. From 
Equations (15) and (16), we get that the sampling prob¬ 
abilities in this case are 


Pe(Ol) 


P 


2 

X 


pI +pI ’ 


Pe(lO) 



(18) 


These sampling probabilities are uniform for the sym¬ 
metric case Px = Pz, bnt are non-uniform for all other 
valnes. In the following, we assnme Px > 1/2, which 
makes the sample 0 = 01 more likely than the sample 
0 = 10. We choose the following attack: in the first 
round of the loop phase, she attacks in the A-basis, and 








Px 

FIG. 1. The error rate for three different eavesdropping at¬ 
tacks iterative sifting: (1) attack on non-nniform sampling 
(long-dashed, black curve), (2) attack on basis-information 
leak (short-dashed, blue curve), (3) attack on both problems 
(solid, red curve). 

in all the other rounds, she attacks in the Z-basis. We 
choose the attack this way because we know that the first 
non-discarded basis agreement is more likely to be an X- 
agreement, whereas the second one is more likely to be a 
Z-agreement.® 

We calculate the expected error rate for this attack in 
Appendix B 1. The black curve in Figure 1 shows {E) 
as a function of for this attack. Notice that {E) falls 
below 25% for 1/2 < px < 1, and reaches a minimum of 
{E) « 22.8% for px « 0.73. 

The concerned reader might worry that the 25% er¬ 
ror rate associated with the intercept-resend attack was 
derived under the assumption of equal weighting for the 
two bases X and Z, whereas it seems here that we choose 
unequal weightings. However, for the protocol under con¬ 
sideration, the a priori probability distribution {px^Pz} 
is not the relevant quantity. Rather, the fact that n = k 
in our example ensures that the X and Z bases enter in 
with equal weighting. 

B. Attack on basis information leak 

We now give an eavesdropping strategy that exploits 
the basis information leak. It is an adaptive strategy, in 
which Eve’s action in round r-f 1 depend on the past com¬ 
munication of the strings oi... a,, and bi.. .br- Again, we 


® The attentive reader may point out that this attack could be 
improved by making Eve’s basis choice dependent on the com¬ 
munication between Alice and Bob. This is correct, but we inten¬ 
tionally design the attack such that Eve ignores Alice and Bob’s 
communication. That allows one to see the effect of non-uniform 
sampling alone and to compare it to attacks on basis information 
leak alone, see Sections fllB and IlfC. 


consider the simple case of n = fc = 1. To make sure our 
attack is really exploiting the basis information leak and 
not the non-uniform sampling, we set px = Pz = ^/‘^- In 
this case, from Eq. (18), the sampling is uniform: 

Pe(01) = Pe(10) = ^. (19) 

Before we define Eve’s strategy, we want to give some 
intuition. Suppose that during the protocol, Eve learns 
that Alice and Bob just had their first basis agreement. 
If this first agreement is a .Z-agreement, say, what does 
this mean for Eve? She knows that the protocol will now 
remain in the loop phase until they end up with an X- 
agreement. Suppose that she now decides that she will 
measure all the remaining qubits in the A-basis. Then, 
if the next basis agreement of Alice and Bob is an X- 
agreement, Eve knows the raw key bit perfectly, and her 
measurement on that bit did not introduce an error. If 
the next basis agreement is a Z-agreement, she may in¬ 
troduce an error on that test bit. However, there will 
be a chance that Alice and Bob discard this test bit, 
because they have a total of two (or more, in the end) 
Z-agreements, and the protocol forces them to discard 
all Z-agreements except A: = 1 of them. Hence, learning 
that the first basis agreement was a Z-agreement brings 
Eve into an favorable position: she knows that attacking 
in the A-basis for the rest of the loop phase will neces¬ 
sarily tell her the raw key bit, while she has quite some 
chance to remain undetected. 

This intuition inspires the following intercept-resend 
attack. Before the first round of the loop phase. Eve flips 
a fair coin. Let F be the random variable of the coin 
flip outcome and let 0 and 1 be its possible values. If 
F = 0, then in the first round. Eve attacks in the A 
basis, and if F = 1, she attacks in the Z-basis. In the 
subsequent rounds, she keeps attacking in that basis until 
Alice and Bob first reached a basis agreement. If it is an 
A-agreement (equivalent to 0 = 01), Eve attacks in the 
Z-basis in all remaining rounds, and if it is a Z-agreement 
(equivalent to 0 = 10), she attacks in the A-basis in all 
remaining rounds.® 

We calculate the expected error rate for this attack in 
the Appendix B 2. We find that 

(F) = « 16.3%. (20) 

8 

Hence, the basis information leak allows Eve to go far 
below the typical expected error rate of 25% for intercept- 
resend attacks [19]. The blue curve in Figure 1 shows, 
more generally, (F) as a function of Px, for this attack. 


We let Eve flip a coin in order to make the attack symmetric 
between X and Z. This allows for a more meaningful comparison 
with the attack on non-uniform sampling, as this attack here 
does not exploit non-uniform sampling even if px 7 ^ 1/2, see 
Sections III A and IIIC. 
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C. Independence of the two problems 

Are non-uniform sampling and basis information leak 
really two different problems, or is one a consequence of 
the other? We will argue now that the two problems are 
in fact independent. To this end, we describe a proto¬ 
col that suffers from non-uniform sampling but not from 
basis information leak, and another protocol that suffers 
from basis information leak but not from non-uniform 
sampling. 

We have already seen an instance of a protocol that 
suffers from basis information leak but not from non- 
uniform sampling: in Section IIIB, we looked at the it¬ 
erative sifting protocol with n = k = 1 and Px = Pz = ^, 
in which case the sampling is uniform. Hence, there was 
no exploitation of non-uniform sampling, but the attack 
strategy exploited basis information leak. 

What about the other way round? Can non-uniform 
sampling occur without basis information leak? A closer 
look at the attack on non-uniform sampling presented in 
Section III A hints that this is possible: the attack strat¬ 
egy works, even though it completely ignores the com¬ 
munication between Alice and Bob, so it did not make 
any use of the basis information leak due to this commu¬ 
nication. 

A more dramatic example shows clearly that non- 
uniform sampling can occur without basis information 
leak. To this end, we forget about iterative sifting for 
a moment and look at a different protocol. Consider 
a sifting-protocol in which Alice and Bob agree in ad¬ 
vance that they will measure the first n = 100 qubits 
in the A-basis, and that they will measure the second 
A: = 100 qubits in the Z-basis, without any communica¬ 
tion during the protocol. Of course, there is no hope for 
this protocol to be useful for QKD, but it serves well to 
demonstrate our point. It leads to a very dramatic form 
of non-uniform sampling, because Pe(0 ... 01... 1) = 1 
and Pe{'&) — 0 for all other i} G {0, IjJ,. If Eve attacks 
the first 100 rounds in X and the second 100 rounds in 
Z, then she knows the raw key perfectly, without intro¬ 
ducing any error. At the same time, there is no com¬ 
munication between Alice and Bob during the protocol, 
so no information about the basis choice is leaked dur¬ 
ing the protocol. Instead, Eve (who is always assumed to 
know the protocol) already had this information before 
the first round. 

Hence, we conclude that the problems of non-uniform 
sampling and basis information leak are independent. 
They just happen to occur simultaneously for iterative 
sifting, but they can occur separately in general. We will 
see the independence of the two problems more formally 
in Section V. 


D. Attack on both problems 

Since the two problems are independent, it is interest¬ 
ing to devise an attack that exploits both of them. Let us 


again consider k = n = 1 and suppose Px > 1/2 to ensure 
that we have non-uniform sampling. Suppose Eve begins 
in the same way as in the attack on non-uniform sam¬ 
pling, measuring in the A-basis. However, as in the at¬ 
tack on the basis-information leak, she makes her attack 
adaptive by following the rule that she switches to the 
Z-basis when Alice and Bob announce that they had an 
A-agreement. If Alice and Bob announce a Z-agreement, 
Eve keeps attacking in the A-basis. 

We give an expression for the error rate induced by this 
attack in Appendix B 3. The red curve in Figure 1 shows 
a plot of this error rate as a function of Px- As one can 
see, the error rate attains its minimum of (E) « 15.8% 
for Px « 0.57. Hence, this combined attack on both prob¬ 
lems performs much better than the one on non-uniform 
sampling alone (with a minimal error rate of ~ 22.8%) 
and even better than the attack on the basis information 
leak alone (with a minimal error rate of ~ 16.3%). 


IV. SOLUTIONS TO THE PROBLEMS 

How can these problems be avoided? Roughly speak¬ 
ing, we can say that protocols with iterative sifting are 
characterized by three properties that make it efficient: 
(1) asymmetric basis choice probabilities and quota, px > 
Pz and n > k, (2) single-basis parameter estimation (Pro¬ 
tocol H), (3) communication in Step 5 of the loop phase. 
As we have seen, it is the communication which causes 
the basis information leak. 

An obvious fix to this problem is to take this com¬ 
munication out of the loop phase and to postpone it to 
the final phase, when all the quantum communication is 
over. Then there is no classical communication during 
the loop phase, and hence, there cannot be a termina¬ 
tion condition that depends on classical communication. 
Instead, the number of rounds in the loop phase is set to 
a fixed number m G N+. This number m then becomes 
a parameter of the protocol. 

Fixing the number of rounds introduces a new issue: 
there is no guarantee that the quotas for A- and Z- agree¬ 
ments will be met after m rounds. In order to perform 
the parameter estimation, however, the quotas n and k 
must be met. Otherwise, Inequality (6) is not applicable, 
because the number of A- and Z-agreements in the loop 
phase are random numbers that can be below n and k, 
respectively. Thus, unless one wants to introduce a new 
tail probability analysis as well, there is a strictly pos¬ 
itive probability that Alice and Bob have to abort the 
sifting protocol because they have too many basis dis¬ 
agreements. If the sifting scheme is modified in this way, 
it no longer involves any communication about the basis 
choices during its loop phase. Thus, it is trivially true 
that there is no basis information leak. 

Many protocols in the QKD literature have such a fixed 
number m of rounds (which is often denoted by N in¬ 
stead) and an according abort event. It seems that before 
iterative sifting was introduced, the sifting procedure was 
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either not clearly written out in the protocols, or it had 
such a fixed round number. For example, in the original 
BB84 paper [20], the sifting scheme is not written out 
in enough detail to say whether this is the case, but the 
protocol for which Shor and Preskill showed asymptotic 
security uses a fixed number of rounds [21]. In addition, 
they use symmetric basis choice probabilities and quota, 
i.e. px = Pz = 1/2 and k = n. Alice sends 4n+^ qubits to 
Bob (where 5 is a positive but small overhead) without 
any intermediate classical communication. Afterwards, 
they compare their bases and check whether they have 
at least n A-agreements and at least n Z-agreements. If 
not, they abort, otherwise they choose n A-agreements 
and n Z-agreements and discard the rest. 

With the remainin 2n bits, they continue with param¬ 
eter estimation. However, instead of performing SBPE, 
they choose n bits at random (i.e. with fresh random¬ 
ness) for parameter estimation and use the rest for the 
raw key. Hence, this protocol shares none of the three 
properties with iterative sifting that we listed above. 

This scheme trivially has no basis information leak. 
In addition, it trivially samples uniformly, as the whole 
sample is chosen with fresh randomness that is injected 
for that purpose. Thus, it is secure with respect to the 
concerns raised in this article. However, it is unneces¬ 
sarily inefficient: speaking in expectation values, half of 
the bits are discarded because they were determined in 
different bases, and another quarter of the bits is used 
for parameter estimation, leaving only a quarter of the 
original bits for the raw key, see Figure 2 a). 

A similar protocol has recently been suggested by 
Tomamichel and Leverrier with a complete proof of its 
security, modelling all its subroutines [22]. They also use 
symmetric basis choice probabilities Px = Pz and ran¬ 
domness injection for the sample choice. However, they 
do not use half of the sifted bits for parameter estimation 
but less. Their protocol also samples uniformly, because 
additional randomness is injected for the choice of the 
sample. 

To increase the efficiency, Lo, Chau and Ardehali 
(LCA) suggested to use asymmetric basis choice prob¬ 
abilities and quota, i.e. Px > 0 and k ^ n. As shown in 
Figure 2 b), this decreases the number of expected dis¬ 
agreements from a value of to/ 2 to a value of 2pxPz'm- 
This is great for efficiency: for larger block lengths, rel¬ 
atively smaller samples are required to gain the same 
confidence that Alice’s and Bob’s bits are correlated.^ 
In the limit where to —> oo, the probability px can be 
chosen to be arbitrarily close to one, and the fraction of 
data lost due to basis disagreements converges to zero. 
We call this protocol LCA sifting. It shares property (I) 
with iterative sifting. 

As for the protocol of Shor-Preskill, Lo Chau and Arde¬ 
hali did not consider SBPE. Their parameter estimation 


^ This can be seen from inequality (6), for example. 
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for the sample required: > pz 
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FIG. 2. Comparison of the expected sifting efficiencies, a) In 
the protocol of Shor and Preskill [21], only about a quarter of 
the measurement results end up in the raw key. Moreover, a 
relatively large amount of randomness needs to be injected for 
the sample choice, which in turn increases the length of pre¬ 
shared secret key that Alice and Bob use for authenticated 
communication, b) The protocol by Lo, Chau and Ardehali 
[15] allows for a bias, px > Pz- This way, the expected frac¬ 
tion of bits with basis disagreements shrinks from one half 
to 2pxPz. The proportions drawn in this figure correspond 
lo Px = 0.8. However, it still requires randomness injection 
for the choice of the sample, c) If, instead, LCA sifting and 
SBPE are used, as we suggest, then no randomness injection 
is required for the choice of the sample. Moreover, less bits are 
consumed for parameter estimation in the finite-key regime, 
resulting in a longer raw key. 


also requires some randomness injection for the choice 
of the sample: the Z-agreements form one half of the 
sample, and the other half is chosen at random from the 
A-agreements. Then, not just one but two error rates 
are determined, namely on the A-part and the Z-part of 
the sample separately. Only if both error rates are below 
a fixed error tolerance, they continue the protocol using 
the rest as the raw key (for details, see their article [15]). 
The LCA protocol trivially has no basis information leak. 
In addition, it turns out that it also samples uniformly. 
This is in fact non-trivial, and to our knowledge, it was 
not proved in the literature. We fill this gap: the uniform 
sampling property of the LCA protocol turns out to be a 
corollary of 2 below. Thus, the LCA protocol could be 
used as a secure replacement for iterative sifting. 
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LCA Sifting 

Protocol Parameters: n,k,m £ N+ with m > n + k £ N+ 
and Px,Pz e [0,1] with px + Pz = 1- 

Output: For I = n + k, the outputs are: 

Alice: 1-bit string £ {0,1}* (measurement out¬ 

comes, sifted) or s =_L (if the protocol aborts), 

Bob: 1-bit string £ {0,1}* (measurement out¬ 

comes, sifted) or t =_L (if the protocol aborts), 

public: 1-bit string (i9i)(^i £ {0,1}^ with = k (ba¬ 

sis choices, sifted), where 0 means X-basis and 1 
means Z-basis, or i? =_L (if the protocol aborts). 

Number of rounds: Fixed number m (protocol parameter) 


The protocol 

Loop phase: Steps 1 to 4 are repeated m times (round index 
r = l,...,m). Starting with round r = 1, Alice and 
Bob do the following: 

Step 1: (Preparation): Alice prepares a qubit pair in a 
maximally entangled state. 

Step 2: (Channel use): Alice uses the quantum channel to 
send one share of the qubit pair to Bob. 

Step 3: (Random bit generation): Alice and Bob each (in¬ 
dependently) generate a random classical bit Ur 
and br, respectively, where 0 is generated with 
probability px and 1 is generated with probability 
Pz- 

Step 4: (Measurement): Alice measures her share in the 
X-basis (if = 0) or in the X-basis (if = 
1), and stores the outcome in a classical bit j/r. 
Likewise, Bob measures his share in the X-basis 
(if br = 0) or in the X'-basis (if 6,- = 1), and stores 
the outcome in a classical bit y).. 

Fiual phase: The following steps are performed in a single 
run: 

Step 5’: (Quota Check): Alice and Bob determine the sets 

u{m) = {r £ [m] | = 6r = 0} , 

v{m) = {r £ [m] | = 6r = 1} 

They check whether the quota condition {u{m) > 
n and v{m) > k) holds. If it holds, they proceed 
with Step 6. Otherwise, they abort. 

Step 6: (Random Discarding): Alice and Bob choose a 
subset u C u{m) of size k at random, i.e. each 
subset of size k is equally likely to be chosen. 
Analogously, they choose a subset v C v{m) of 
size k at random. Then they discard the bits a^, 
br, Ur and j/(. for which r ^ uVJv. 

Step 7: (Order-preserving relabeling): Let ri be the i-th 
element of uUv. Then Alice determines (si)(=i £ 
{0,1}*, Bob determines (ti)*^i £ {0,1}* and to¬ 
gether they determine (i?i)*^i £ {0,1}*, where for 
every i £ [1], 

Si — Pr^ , ii — 5 i ~ (— br^} • 

Step 8: (Output): Alice locally outputs (si)*^i. Bob lo¬ 
cally outputs (ti)*=i and they publicly output 

mLi- 


On the one hand, we suggest using the sifting part of 
LCA protocol. To be clear about the details of the sifting 
scheme, we have written it out in our notation in Proto¬ 
col III. On the other hand, we find that the parameter 
estimation part of the LCA protocol is unnecessarily com¬ 
plicated and inefficient: it needs randomness injection for 
part of the sample choice, and it requires the estimation 
of two instead of one error rate. What if, instead, LCA 
sifting is followed by SBPE, i.e., only the error rate on 
the X-agreements is determined? The critical question 
is whether this would still lead to uniform sampling. As 
the following propositin shows, this is indeed the case. 

Proposition 2: The combination of LCA sifting (Pro¬ 
tocol III) and SBPE (Protocol II) samples uniformly. In 
other words, the LCA sifting protocol satisfies 

PeiH) = PeiH') {0,l}i. (21) 

In constrast to protocols that use randomness injection 
for the sample choice, the uniform sampling property is 
non-trivial to prove for LCA sifting with SBPE. We prove 
2 in Appendix C (see the corollary of 8) . This shows that 
the combination of LCA sifting and SBPE is secure and 
can therefore be used to replace iterative sifting.® For 
protocols that use these subroutines, the abort probabil¬ 
ity Pabort of the sifting step is important because it affects 
the key rate of the QKD protocol. We calculate Pabort in 
Appendix C as well ( 8). 

This is good news for efficiency, as no randomness in¬ 
jection is required for the choice of the sample. Since 
this random sample choice would need to be communi¬ 
cated between Alice and Bob in an authenticated way, 
this also uses up less secret key from the initial key pool 
(see [23] for a discussion of the key cost of classical post¬ 
processing). One can see in Figure 2 that in the finite-key 
regime, this also leads to a larger raw key. Together with 
3, which we will discuss in Section V, this also estab¬ 
lishes security of the protocol in the finite-key regime. In 
contrast, the original work of LCA [15] only establishes 
asymptotic security. 

Suggestion: Use LCA sifting (Protocol III) and SBPE 
(Protocol II). 

Let us briefly remark about the efficiency LCA sifting 
in comparison to that of iterative sifting. They differ in 
that LCA sifting has no communication during the loop 
phase, see property (3) above. The question is whether 
this necessarily means that the efficiency is strongly re¬ 
duced in comparison with iterative sifting. 


This also establishes uniform sampling for the whole LCA pro¬ 
tocol (with the parameter estimation protocol with randomness 
injection instead of SBPE). This is because the parameter esti¬ 
mation protocol of LCA can now be seen as a two-stage random 
sampling without replacement, where in both stages, the sam¬ 
pling probabilities are uniform. This leads to overall uniform 
sampling. 


Protocol III. The Lo-Chau-Ardehali (LCA) sifting protocol. 
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FIG. 3. EfRciency comparison of the two sifting protocols. 
The plots show lower bounds on the expected efficiencies for 
symmetric probabilities = Pz = and for identical quo¬ 
tas n = k. The solid red curve shows a lower bound on the 
expected value of the efficiency for the iterative sifting proto¬ 
col as a function of n = fc. For the LCA sifting protocol, an 
optimization over the additional parameter m has been made 
for each value of n = fc. 
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We define the efficiency 77 of a sifting protocol as 


of quantum state Pa^b^q^ associated with a sifting pro¬ 
tocol. To explain what this state is, we explain what the 
state paib‘q‘ is like for LCA sifting. It is a state that 
is best described in a variation of the protocol. Suppose 
that Alice and Bob run the protocol, but they skip the 
measurement in every round. Instead, they keep each 
qubit system in their lab without modifying its state. 
With current technology, this is practically impossible, 
but since Pa‘b^q‘ is a purely mathematical construct, we 
do not worry about the technical feasibility. Notice that 
Alice and Bob still make basis choices, compare them 
and discard rounds—they just do not actually perform 
the measurements. Let us compare the output of this 
modified protocol with the output of the original proto¬ 
col: 


Alice 

Bob 

public 


original protocol 
I bits s = 

I bits t = 

I bits -d = 


modified protocol 
Lqubit state pa‘ 
Lqubit state pst 
I bits 1 ? = 


1 = 


R 

M ’ 


( 22 ) 


where R is the random variable of the number of rounds 
that are kept after sifting and M is the random variable of 
the total number of rounds performed in the loop phase 
of the protocol. We explain this in more detail in Ap¬ 
pendix D. A plot of the expected efficiency for iterative 
sifting and for LCA sifting is shown in Figure 3 for the 
special case of symmetric probabilities Px = Pz ^-nd iden¬ 
tical quota n = k (this special case is computationally 
much easier to calculate; for other choices, the computa¬ 
tion becomes very hard). We find that iterative sifting 
is more efficient, as expected, but the difference between 
the two efficiencies becomes insignificant for practically 
relevant quota sizes n and k. 


V. FORMAL CRITERIA FOR GOOD SIFTING 

In Section II, we have seen that iterative sifting leads 
to problems. In Section IV, we showed that these prob¬ 
lems can be avoided by using LCA sifting (Protocol III) 
and SBPE (Protocol II). In this section, we give a more 
complete answer to the question of how these problems 
can be avoided by presenting two simple formal criteria 
that are sufficient for a sifting protocol to lead to a cor¬ 
rect parameter estimation. More precisely, we describe 
two formal properties of the state produced by a sifting 
protocol which guarantee that if the protocol is followed 
by SBPE (Protocol II), then Inequality (6) holds. As in¬ 
dicated in the introduction, the two properties take the 
form of equalities, see Equations (1) and (2). We prove 
the sufficiency of these two criteria by deriving (6) from 
them in 3 below. 

In order to state the two criteria and the random vari¬ 
able Akey in (6) formally, we need to define a certain kind 


Hence, if we model the classical bit string 1 ? as the state 
of a classical register 0*, we can say that the output 
of the modified protocol is a quantum-quantum-classical 
(QQC) state Pa^b^b^- More generally, the state Pa^b’^b^ 
associated with a sifting protocol is its output state in 
the case where all the measurements are skipped. 

This state still carries all the probabilistic information 
of the original protocol. To see this, let X = {Xq, Xi} and 
Z = {ZqjZi} be the POVMs describing Alice’s X- and 
X-measurement, let X' = {Xq,X']^} and Z' = {Zq,Zj} be 
the POVMs describing Bob’s X- and X-measurement, 
and let M = {Mo,Mi} be the projective measurement 
on 0 with respect to which the state of the register 0 is 
diagonal. Define the operators 

Oq = ^0 j Oi = Xi , O 2 = Zq , 

O' = X' , O'l = X( , O' = Z' , 

Then, the probability distribution over the output of the 
protocol is 

-PsTe(s,t,i?) = tr(n(s,t,7?)p(^Be)0 ) (24) 

where P^abbY i® the same state as Pa^b^bb but with the 
registers reordered in the obvious way, and where 

i 

n(s, t, 7?) = (^ (02^i-|-Si 0 ® MI,?,) . (25) 

i=l 

With the state Pa^b^b^ associated with a sifting protocol 
at hand, it is easy to define the random variable A^ey 
associated with the protocol. The relevant probability 
space is the discrete probability space {flzz'B, Pzz'b), 
where ^Izz'B i® the sample space 

Hzz'e = {0,iyx{0,l}'x{0,l}i 


O3 — Zi, 

O'g = Z; . 


(23) 


(26) 
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and where Pzz'B is the probability mass function 
Pzz'e ■ ^zz'B [0,1] 

® ( 0 L 1 PA‘B‘e^ 

(27) 

The probability mass function Pzz'e corresponds to a 
Gedankenexperiment in which Alice and Bob measure all 
qubits in the Z-basis. 

Now we are able to formally say what the random vari¬ 
able Akey of a sifting protocol is. Let Pa‘b^ 0 ^ b® the state 
associated with the sifting protocol, let {^zz'Ot Pzz'e) 
be the probability space as in Equations (26) and (27). 
Then A^ey is the random variable 



Akey : ^zz'e 


iz,z\i9) ^ 


n 


(28) 


which is the key hit error rate. Analogously, we have the 
test hit error rate 


Atest : ^ZZ'B 


{z,z',d) 


-e [ 0 , 1 ] 

1 

1 -^ -'y'^'dijz ® z'). 


(29) 


This allows us to formally define the tail probability ptaii- 
We define it via the same formula as in (4), which we 
repeat here for the reader’s convenience: 


Ptailip) — .P[Akey ^ Atest “f p \ Atest ^ Qtol] • (4) 


The difference is that now, we have formally defined all 
the components of the equality. The following proposi¬ 
tion states the tail probability bound in a formal way. 

Proposition 3 (Tail probability estimate): Let PA‘B‘e‘ 
be a density-operator of a system where A and 

B are qubit systems and 0 is a classical system, let 
{Zo,Zi} and {Zq,Z[} be POVMs on the quantum sys¬ 
tems A and B, respectively, let {Mq, Mi} be the read-out 
measurement of the classical system 0, let Akey, Atest 
be random variables on the discrete probability space 
i^zz' 0 , Pzz'o) as defined in Equations (26) to (29) and 
let ptaii be as in Equation (4). Let Pa'b' and pQi denote 
the according reduced states of PA‘B‘e‘ Bend Pq denote 
the according marginal of Pzz’S- If the two conditions 


Pe{d) = Peid') {0,l}i and 

PA‘B‘e‘ = Pa‘b‘ ® Pe‘ 


hold, then 


PtAdip) < 


exp (-2tf 


/c+1^ 


Ppa 


( 1 ) 

( 2 ) 

( 6 ) 


where 


Ppass — P[Atest ^ ^tol] ■ (I) 

We prove 3 in Appendix E. The formulation of 3 
allows us to see the formal requirements on a sifting pro¬ 
tocol to lead to a correct parameter estimation when 
followed by SBPE: Condition (1) is exactly the state¬ 
ment that the sampling probability does not depend on 
the sample, i.e. the protocol leads to uniform sampling. 
There is one thing that we want to point out here: while 
it is sufficient for the sampling probabilities to be the 
inverse of the number of possible samples, i.e. 

condition (1) is strictly weaker. In the case where there 
is a non-zero probability that the protocol aborts during 
the sifting phase (as it is the case for LCA sifting), the 
sampling probabilities do not add up to 1 but rather to 
1— Pabort, where Pabort is the probability that the protocol 
aborts during the sifting phase. 

Condition (2) is the formal statement of what it means 
for a protocol that the basis choice register is uncorre¬ 
lated with Alice’s and Bob’s qubits before measuring. 3 
states that if these two conditions are satisfied, then the 
correlation test of the SBPE protocol leads to the right 
conclusion. Hence, these are the two conditions that a 
sifting protocol needs to satisfy in order to be a good 
sifting protocol. 

We point out that the digression to a classical prob¬ 
ability space. Equations (26) to (29) and (4), is a mere 
change of notation. However, the fact that it is possi¬ 
ble to express 3 in terms of a classical probability space 
shows that this part of a QKD security analysis is purely 
classical. 


VI. CONCLUSION 

In recent years QKD has emerged as a commercial 
technology, with the prospect of global QKD networks 
on the horizon [19]. All QKD implementations have fi¬ 
nite size, and yet only recently has finite-key analysis ap¬ 
proached mathematical rigor [3-6, 8-1 1[. In this work, 
we showed that further modifications of the protocols 
and/or their analysis are needed to make finite-key anal¬ 
ysis rigorous. 

We pointed out that sifting —a stage of QKD that is 
often overlooked with respect to security analysis—is ac¬ 
tually crucial for security. A carelessly designed sifting 
subroutine can jeopardize the security of an otherwise 
reliable protocol. We found that iterative sifting, a sift¬ 
ing protocol that has both been proposed theoretically 
[3, 4, 8, 9[ and been implemented experimentally [12[, 
violates two assumptions in the typical security analysis. 
We showed how the violation of these assumptions can be 
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exploited by an eavesdropper, leading to intercept-resend 
attacks with unexpectedly low error rates (see Fig. 1). 

We presented an alternative scheme, LCA sifting and 
SBPE, and proved that it solves the two problems. We 
derived an expression for its abort probability and there¬ 
fore provided everything that is needed for its future use 
as a subroutine. We argued that this scheme is more eco¬ 
nomical and efficient than some other other previously 
proposed protocols, as it does not require an additional 
random seed for the sample and at the same time al¬ 
lows for asymmetric basis choice probabilities. As we ex¬ 
plained, the latter allows for a significantly higher sifting 
efficiency [15]. 

We gave the precise mathematical form of the two as¬ 
sumptions that are needed for secure sifting in Eqs. (1) 
and (2). In doing so, we have provided a guide for the 
construction of future protocols: when designing a sift¬ 
ing protocol, one just needs to check these two conditions 
in order to make sure that the usual analysis of the pa¬ 
rameter estimation based on Inequality (6) is correct and 
the protocol is secure. This may require a mathematical 
model for the state or for the probabilities of the 

output strings and generated by 

the sifting protocol. Such models are rarely provided in 
the literature. In the case of iterative sifting, the absence 


of such a model to check the desired properties has led 
to a wrong security analysis. 

This points to a deeper problem in QKD security anal¬ 
ysis: there is often a gap between the physical protocols 
that are written down as instructions for Alice and Bob 
and the mathematics of the security proof. This is not 
a purely pedantic issue, but rather a very practical one 
which can be exploited by eavesdroppers. In the future, 
we advocate that each step in the physical QKD proto¬ 
col be explicitly mathematically modeled. In particular, 
we emphasize that sifting protocols must be proved to 
(rather than assumed to) satisfy the desired assumptions 
of the analysis. We believe our work will ultimately in¬ 
spire more complete security proofs of finite-size QKD. 
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APPENDIX 


Conventions 

We make some notational conventions for the appendix (in addition to the ones we made in Equation (7)). For 
the iterative sifting protocol as in Protocol I, we denote by the random variable of the number of A-agreements, 
and analogously, W and Nd are the random variables of the number of Z-agreements and disagreements in the loop 
phase, respectively. We write events as logical statements of the random variables, e.g. 0 = llOAiVa, > 2 is the event 
in which the protocol runs with more than two A-agreements and produces the output -d = 110, and its probability 
is given by P[0 = 110 A >2]. In cases where all involved random variables have fixed values, we occasionally 
write expressions in terms of probability mass functions instead of in terms of probability weights of events (as we 
have done it in the main article), e.g. we write 

^QN^^NzNd ^d) ■ P[0 Nx rij,, Ag 77.2, Nd ^d\ ■ 

In cases with inequalities, it is however shorter to use the event notation, e.g. 

P[Ai ^ Bi] = Pa,b, (0,1) + Pa,b, (1,0). (32) 

We will use whatever notation we find more appropriate in each case. 


Appendix A: Sampling probability calculation for iterative sifting 

In this appendix, we prove 1, i.e. we calculate the sampling probabilities ^ 0 ( 7 ?) for iterative sifting with n = 1 and 
k = 2 and find Pe(llO) = gl and Pe(lOl) = Pe(Oll) = (1 — where gz = pI/(pI +Px)- 

Proof of 1. We first write out the sequence of equalities that lead to the claim. We explain each equality below. The 
sequence of equalities looks as follows: 


00 00 00 


Pe(llO) = ^ ^ TeAf^jv^jv^(110,rza;,Uz,Tirf) 

(Al) 

nz—2 rid—O 


= P0Nz:NzNdA^^A,n'z,nd) 

(A2) 

nz—2nd—0 


= i: Y.pKpiAiP.p.rrA’'") 

nz—2nd—0 ^ '' 

(A3) 

2 u pI 

= 9z : where gz = „ , „ . 

Pz+Px 

(A4) 


Equation (Al) is just stating that Pq is the marginal of PeN^^N^Nd- The ranges of the sums can be explained as follows. 
The iterative sifting protocol always runs until there have been at least n cc-agreements and at least k z-agreements. 
Therefore, 


PeNz,NzNA^^'nx,nz,nd) = 0 a fix < n or Uz < k . (A5) 

In our case, n = 1 and fc = 2, hence the limits of the sums. 

Equation (A2) follows from 


PeNz,NzNdAW,nx,nz,nd) = 0 for > 2 . (A6) 

One can see (A6) as follows: if Nx > 2, then necessarily Nz = 2, because Nx > n A Nz > k is impossible in iterative 
sifting (the loop phase of the protocol is terminated as soon as both quota are met). This means that during the 
random discarding, no Z-agreement gets discarded. Moreover, if Nx > 2, then the last round of the loop phase must 
be a Z-agreement. Since this Z-agreement is not discarded, we have that 0 must necessarily end in a 1 if Nx > 2, so 
0 = 110 is impossible in that case. 

To see why Equation (A3) holds, note that the event 


0 = 110 A Nx = 1 A Nz = Uz A Nd = rid 


(A7) 
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consists of all runs of the protocol in which one X-agreement, riz ^-agreements and rid disagreements occurred, and 
where the X-agreement was the last round of the loop phase. This is because in every such run, one necessarily ends 
up with 0 = 110, and if 0 = 110, then the last round of the loop phase must be an X-agreement. There are 
such runs, and each of them has the probability {2pxPz)^'^, and therefore 

few,JV,Ard(110,l,n^,nd) = {2p^Pzr‘‘ ■ (AS) 

This explains Equation (A3). Finally, equation (A4) is just an evaluation of the expression in the line above. This 
shows Pe(llO) = g^. 

It remains to be shown that Pe(lOl) = Pe(Oll) = (1 — g\')l2. In analogy to the above, it holds that 


OO OO OO 


Pe(lOl) = ^ ^ P0N^N^Nd{^O^,nx,nz,nd) 

rix — l nz—2 nd—0 

OO OO 

(A9) 

= E E PBl^:nN„Nd{^01,nx,2,nd) ■ 

nd=0 

(AlO) 


Equation (A9) is, in analogy to Equation (Al), stating that Pq is the marginal of PeN^N^NdJ the same argumen¬ 
tation for the limits of the sums applies. Equation (AlO) is explained by a similar reasoning as for Equation (A2): it 
follows from 


PeN^N,Nd{^0^,n,.,nz:,nd) = 0 for > 3 . (All) 

For Equation (All), note that if > 3, then = 1 because > nANz > k is impossible in iterative sifting. Thus, 
no cc-agreement gets discarded. Moreover, if > 3, then the last round of the loop phase must be an a:-agreement. 
Since this x-agreement is not discarded, 0 necessarily ends in a 0 if > 3, so 0 = 101 is impossible in this case. 
Analogously, it holds that 


OO OO OO 

P0(O11) = E E E P0N^N^Nd{O^^,nx,nz,nd) (A12) 

rix — l nz—2 rid—O 
OO OO 

= E E P0N^N^Nd{^^^j^x,‘^,nd) ■ (A13) 

n^=2nd=0 

The next step is to realize that for every rix > 2 and for every rid G {0,1,2,...}, it holds that 

P0N^N^Ndi^Ol,nx,2,nd) = PeAf;iAf^iVd(011,nx,2,nd). (A14) 

This is because the event 

[Q = 101, Nx = nx,N, = 2, Nd = rid) (A15) 

and the event 

[Q = on, Nx = rix, N, = 2, Nd = rid) (A16) 


consist of equally many histories of the protocol, and each of these histories has the same probability. Equations (AlO), 
(A13) and (A14) imply P0(1O1) = P0(O11). Since P0(O11) -I- P0(1O1) -I- P0(11O) = 1 and P(llO) = g^, it holds that 
P0(O11) = P0(1O1) = (1 - g^)/2 as claimed. □ 
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Appendix B: Error rate calculations for the attacks on iterative sifting 


1. Attack that exploits non-uniform sampling 


Here, we calculate the expected error rate for the attack on iterative sifting which exploits non-uniform sampling, 
as explained in Section III A. We first recall the relevant conventions that we made in the main article. The iterative 
sifting protocol is described in Protocol I. Eve performs an intercept-resend attack during the loop phase of the 
protocol. In the first round, she attacks in the A-basis, and in all the other rounds of the loop phase, she attacks in 
the Z-basis. We defined the error rate in Equation (17) in the main article, namely 


E = 


1 ' 

y ^ 5, 0 T,. 


(Bl) 


Moreover, recall that we assume that the X- and Z-basis is the same for Alice, Bob and Eve, and that they are 
mutually unbiased. This way, if Alice and Bob measure in the same basis, but Eve measures in the other basis, then 
Eve introduces an error probability of 1/2 on this qubit. 

The calculation of {E) for this attack goes as follows. We first make a split: 


(e;) = ^p[0 = ^] {E\Q = d) 


= P[0 = 01] {E\e = 01) + P[0 = 10] (A10 = 10) 




(B2) 

(B3) 


We have that 

OO y 

Ax = f P[Q = 01 A Nx = Ux /\ Ai = Bl = 0] {E\Q = 01 A Nx = Ux A Ai = Bi = 0) 

P(0 = 01 A = n,, A Ai 7^ Bl] {E\e = 01 A Nx = Ux A Ai ^ Bi) (B4) 

+ P[0 = 01 A = n,, A Ai = Hi = 1] {E\Q ^ 01 A Nx = Ux A Ai = Bi = 1)] 

' ---' / 

0 

The third summand on the right hand side of Equation (B4) vanishes because 0 = 01 is impossible if Alice and Bob 
have a z-agreement in the first round of the loop phase. The event 

0 = 01 A Nx = Ux A Ai = Bl = 0 (B5) 

consists of all histories of the protocol in which Alice and Bob have an x-agreement in the first round and n^, x- 

agreements in total. Infinitely many such histories are possible because an arbitrary number of disagreements is 
possible. We express the probability of the event (B5) as the marginal of the probability of the event 


0 = 01 A Nx = Ux A Ai = Bl = 0 A Nd = Ud ■ (B6) 

The event (B6) consists of histories of the protocol, and each history has the probability (px)'^'°Px{‘2pxPz)^‘‘- 

Therefore, 


P]0 = 01 A Nx = Ux A Ai = Bl 


0] = P[0 = 01 A Nx = Ux A Ai = Bl = 0 A Nd 

nd=0 


= E iplr^pli^pxPzr 

nd=0 


Ux + rid- 1 
nd 


nd] 


Moreover, we have that 


1 

4 



(B7) 

(B8) 


(Aj0 = 01 A Nx = nx A Ai = Bl = 0) 


1 


(B9) 
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The validity of (B9) can be seen as follows. On the second bit of S and T, there is no error because it comes from a 
round in which all parties have measured in the Z-basis. Hence, the left had side of (B9) is the probability of getting 
an error on the first bit of S and T, divided by the total number of bits, 2. Hence, we need to determine the error 
probability of the first bit. If = 1, then the first bit comes from the first round of the loop phase, in which Alice, 
Bob and Eve have measured in the A-basis and hence, there is no error. However, for = rix, the first bit of S and 
T is chosen at random from one of the Ux x-agreements. In only one of these Ux rounds, Eve has measured in the 
A-basis, and in rij, — 1 rounds, she measured in the Z-basis. Hence, the probability that Eve measured in the wrong 
basis on the first bit of S and T is {jix — l)/nx, and therefore the error probability of the first bit is 1/2 • {nx — l)/nx- 
Thus, 


\ \ f Tl 

(E|0 = 01 A A, = n, A Ai = Hi = 0) = - •- 


2 2 \nx-l 


4 V Ux 


Similarly, we get 


P[0 = 01 A A, = n, A Ai ^ Hi] = f; {plr^pl{2pxP.r^ h + 

r, \ '^X J 

rid—G ^ ' 


and 


(H|0 = 01 A Aa; = na, A Ai ^ Hi) = - . 
Taking Equations (B8), (B9), (B12) and (B13) together, we get that 


. oo oo 


«x = l n.d=0 


- 1\ A _ 1 \ , fnx + rid-l 
nd 


In a similar way, we get 


A- i ((- -') + ("' 

Equations (B3), (B14) and (B15) taken together result in 

^Ux +nd- I 

KPx) ^^P~x \ \ 

, nx = l 


{E) = {‘^pxPzT'^ ( Y 


Ud 


^ _ 1 _\ fnx+Ud-l 

tlx ) \ Ux 


Y pi(p"y' 


Ux+nd- fnz + nd-l\ ^ J_ 

nx J \ Ud J \ Ux 


(BIO) 

(Bll) 

(B12) 

(B13) 

(B14) 

(B15) 


(B16) 


Figure 1 in the main article shows a plot of (E) as in (B16) as a function of px- As one can see, (H) achieves a 
minimum of (H) « 22.8% for px « 0.73. 


2. Attack that exploits basis-information leak 

Now we calculate the expected error rate of iterative sifting for the attack which exploits basis-information leak 
as described in Section HIB. As before, let (H) be the expected value of the error rate as defined in Equation (17). 
Again, we assume that the A- and Z-basis are the same for Alice, Bob and Eve and that they are mutually unbiased. 
Recall the strategy of Eve’s intercept-resend attack: Before the first round of the loop phase. Eve flips a fair coin. 
Let F be the random variable of the coin flip outcome and let 0 and 1 be its possible values. If H = 0, then in the 
first round, Eve attacks in the A basis, and if H = 1, she attacks in the Z-basis. In the subsequent rounds, she keeps 
attacking in that basis until Alice and Bob first reached a basis agreement. If it is an A-agreement (equivalent to 
0 = 01), Eve attacks in the Z-basis in all remaining rounds, and if it is a Z-agreement (equivalent to 0 = 10), she 
attacks in the A-basis in all remaining rounds. 
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The calculation of {E) goes as follows: 

{E) = Pf{0) {E\E = 0) + Pf(1) {E\F = 1) 

= {E\F = 0) 

= Pe(Ol) {E\F = 0 A 0 = 01) + Pe(lO) {E\F = 0 A 0 = 10) . 



(B17) 

(B18) 

(B19) 


Equality (B17) is just a decomposition of (E) into conditional expectations. Equality (B18) follows from the fact that 
the problem is symmetric under the exchange of X and Z, i.e. under the exchange of 0 and 1. The only quantity 
that is not trivial to calculate in Equation (B19) is the expected value of the error rate, given that Eve first measures 
in X and that the first basis agreement is an Af-agreement. It is calculated as follows: 


{E\F = 0 A 0 = 01) = ^ {E\F = 0 A 0 = 01 A = n,) Pjv.|ej^K|01, 0) 


n^ — l 


-PiVa;|0(71cc|Ol) 


= {E\F = 0 AO = 01 A No: = Uj:) PN^einx^Ol) 


1 


nj; = l 


7"e(01) 


oo ^ oo 

= £ £ {vlT-vl^^VxVzy 


2nr 

nx = l nd=0 


= 4 ( 1 - 1112 ), 


rix + rid 

rid 


where In denotes the logarithm to base e. Therefore, 


iE) = \\il-ln2) + \\ 
2-In 2 


« 16.3%. 


(B20) 


(B21) 


(B22) 

(B23) 


(B24) 

(B25) 

(B26) 


3. Attack that exploits both problems 

Here we present the error rate induced by the intercept-resend attack presented in Section HID, which exploits 
both non-uniform sampling and basis information leak. Let us recall the attack strategy. In the first round of the 
loop phase of the iterative sifting protocol, she attacks in the A-basis. She keeps doing that in subsequent rounds 
until Alice and Bob announce a basis-agreement. If they announce an A-agreement, Eve attacks in the Z-basis in all 
the following rounds. Otherwise, she keeps attacking in the A-basis. 

The calculation of the error rate is similar to the calculations done in Appendices B 1 and B 2. We only show the 
result here: 


{E) = 


00 

E 

Tlz — l Tid — O 


E 


plpl'^^i2pxp,y 


rid 


rid 


— l rid—O 


pI"'’^pI{‘^PxPzY 


rix + rid\ rix-l 


rid 


Arix 


(B27) 


A plot of (B27) is shown in Figure 1 as a function of px- As one can see, the expected error rate has a minimum of 
(E) « 15.8% for px « 0.57. Hence, this combined attack on both problems performs much better than the one on 
non-uniform sampling alone (with a minimal expected error rate of « 22.8%, see Section HI A) and even better than 
the attack on the basis information leak alone (with a minimal expected error rate of « 16.3%, see Section IHB). 
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Appendix C: Sampling and abort probability calculation for LCA sifting 

In this appendix, we derive the general form of the probabillity distribution Pe{'&) for LCA sifting (Protocol III) 
as a function of the parameters n, k, m, and pz- This achieves two goals: Firstly, it turns out that the sampling 
probability ^ 0 ( 1 ?) is independent of the sample 'd G {0, IjJ., which shows that the protocol samples uniformly. Secondly, 
we calculate the abort probability Pabort = Pe(-L). This abort probability influences the key rate of potential QKD 
protocols that use this protocol as a subroutine, which makes Pabort an important performance parameter of the 
protocol. 

We start by describing in Appendix C 1 how we think that proofs of sampling probabilities should be formalized 
and how the general strategy of our proof looks like. In Appendices C 2 to C 4, we show the proofs and Anally derive 

Pe- 


1 . On probabilistic models of the protocol 


LCA sifting gives rise to a set of histories of the protocol. This set can be modelled as the set O = ^abyy' stuvq 
of all tuples 

= ia,b,y,y\s,t,u,v,'d), (Cl) 

where each entry varies over all its possible values. There are flnitely many such histories, and each of them as a 
probability associated with it. This can be expressed more formally in the language of discrete probability theory® 
by saying that forms the sample space of a discrete probability space (12, P), on which a probability mass function 
p is defined such that P{uj) is the probability of a history to. Note that by choosing we also include 

impossible combinations oi a, b, ..., For example, a history oj as in (Cl) with u = v is not possible, because u 
stands for the A-agreements chosen for the raw key and v stands for the Z-agreements chosen for the sample, and 
the two cannot coincide. This is not a problem for our model, because in this case, we simply have P{uj) = 0. 

In this probability theory language, the strings a,b,... ,d are values that random variables A, B, Q can take. 
Random variables are maps from the sample space 12 to a set which is called the range or codomain of the random 
variable. For example, the random variable A is a map 


A: n ^ A 
oj I —y A{uj') 


(C2) 


where A is the codomain of A. We denote the codomains of random variables with calligraphic letters (except for the 
random variable 0, whose codomain we denote by co(0)). According to the protocol, we have 

A = {0, ir = {{a^)T=i I a. G {0,1} Vf G [m]} . (C3) 

In the case where we model 


12 = ^ABYY'STUVe = AxBxyxy'xSxT xU xV X co(0), 
the random variables are simply the (set-theoretic) projections on the respective components, e.g. 

A: = A X B X ... X co{Q) -a A, 

{a,b,... jd) I—>■ a. 

Then, the probability PA{a) that A = a is given by 

Pa: A ^ [ 0 , 1 ] 

a ^ P{uj) 

ujGA~^ (a) 

= Y, PAB...e{a,b,. .. ,-d), 

{b,y,...,■&) 


(C4) 


(C5) 


(C6) 


^ By discrete probability theory, we mean probability theory with 
a discrete sample space Q, i.e. where Q is finite or countably 


infinite. 
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where we have written P = Pab...q- This is because in the case where O = ^ab...q^ P is simply the joint probability 
distribution of the random variables A, B, ..., 0. 

Setting (n, P) = {^Iab...0, Pab...q) is sufficient to describe the probabilities of the random variables A, B, Q 
and functions thereof. For our purposes, however, this description is overloaded. We do not need to incorporate all 
the random variables A, B, ..., 0 in and P. One reason is that some of the random variables are completely 
determined by some of the other random variables. For example, the string s of Alice’s sifted measurement outcomes 
is completely determined by Alice’s measurement outcomes a and the subsets u and v. In the probability theory 
language, this is expressed as the fact that the random variable S' is a function of the random variables A, U and V, 


or more precisely. 


S = SiA,U,V), 


S : AxU xV S 

{a,u,v) I—)■ s(a,w,n) 

and its probability distribution is given by 

Ps{s) = PAuv{a,u,v) 

{a,u,v)GS~^{s) 

E 

u;G(SoAxC/xy)-i(s) 

There are more such dependencies in our list of random variables: 

T = T{B,U,V), 

0 = 0(C/, V). 

Hence, setting 

{fl,P) = {Aabyy'uv, Pabyy'uv) 


(C7) 


(C8) 


(C9) 

(CIO) 


(Cll) 

(C12) 


(CIS) 


and using the dependencies (C7), (Cll) and (C12) leads to an equally powerful description, but with a smaller 
probability space. 

For our purposes, the space (CIS) is still overloaded. We are only interested in the distribution Pq of 0. According 
to (C12), the relevant probability space is {p.uy^Puy), and 0 is a random variable 


Then, Pq is given by 


0 : Auy = UxV ^ co(0), 
(u,v) I—)■ 'd{u,v). 


Pe ■■ co(0) 

'd i-A 


[ 0 , 1 ] 

E Puviu,v) 


(C14) 


(C15) 


It is difficult to write down the probability mass function Puy directly. Instead, we will derive the probbility mass 
function Pabuv on the sample space ^Iabuv-, ^-nd arrive at the probability distribution Pjjv via marginalization of 
Pabuv' 


Puviu,v) = E PABUv{a,b,u,v). (C16) 

{a,b)eAxB 

Hence, the relevant probability space for our proof of uniform sampling of LCA sifting is the probability space 
{flABUv, Pabuv)- 
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2. Formalization of (^Asc/v', J^ASL/v') 

According to what we said in the last subsection, the probability space that is relevant for our proof of uniform 
sampling of LCA sifting is the space {^abuVj Pabuv)^ which describes the probabilities of the basis choice strings a 
and b of Alice and Bob, as well as the choices u and v of the rounds that are used for the raw key and for parameter 
estimation, respectively. We are going to formalize this space in this subsection. 

We start by determining the sample space 


flABuv = Ax B xU xV . (C17) 

In the loop phase of the protocol, Alice and Bob generate basis choice strings a = (a*)™ i G {0,1}™, b = G 

{0,1}™. This happens in every run, no matter whether Alice and Bob abort the protocol in the final phase. Hence, 

A = B = {QA}"' ■ (CIS) 

In the final phase of the protocol, Alice and Bob do a quota check, in which they determine the rounds in which both 
measured in the A-basis (A-agreement) the rounds in which both measured in the Z-basis (Z-agreements). In the 
case where they had less than n A-agreements or less than k Z-agreements, they abort. In this case, Alice and Bob 
do not choose subsets u and v of their A- and Z-agreements, respectively. We model this by saying that in this case, 
u = V =_L, where _L is just a symbol indicating that Alice and Bob abort. In the case where the quota check of the 
protocol is successful, Alice and Bob choose random subsets u C u{m) of size n and v C v{m) of size k. We represent 
these subets by bit strings u G {0,1}™, v G {0, !}(,, where 


{GA}n={{u^)T=l^{^^y 


y^Ui = n 


{o,i}r= (^^^)™lG{o,lr 


i=l 


i=l 


Vi = k ^ 


(C19) 


They are to be interpreted as follows: For u G {0,1}™ and i G [m], Ui = 1 means that i is contained in the subset 
u C u{m), and Ui = 0 means that i is not contained, and likewise for v G {0,1}™. The requirement that the subsets 
u and V have size n and k translates into the conditions that the string components sum up to n and k, respectively. 
Taking the two possibilities (the protocol aborts or the quota check is successful) together, we have that 


U = {0,l}yu{±}, (C20) 

V = {0,l}ru{T}., (C21) 


and hence 


^ABUV = A X H X X V = {0, ir X {0,1}'" X ({0,1}™ U {T}) x ({0, 1}T U {T}) . (C22) 

This is the sample space of the probability space (P-abuv^Pabuv) that we are looking for. 

Next, we determine the probability mass function Pabuv- We can write 

PABUvia,b,u,v) = PABiaA)Puv\AB{u,v\a,b) (C23) 

where Puv\ABiv,v\a,b) is the probability that U = u and V = v, conditioned on A = a and B = b. The probability 
distribution PABio^A) is easily determined. Each bit at, bi, i G [m] is generated independently at random and takes 
the value 0 with probability Px and the value 1 with probability Pz- Hence, 


m 


V(a, b)GAxB: 

PAB{a,b) ^Y[pI ‘"'pI'pI Sz’ 

^—1 

(C24) 



(C25) 


_ 2m-\a\-\b\ \a\ + \b\ 

PZ ’ 

(C26) 

where for a string a G {0,1}™, we write 




m 

|a| :=^a*. 

2 = 1 

(C27) 
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The conditional probability distribution Pijv\ab is a bit more tricky to write down. What is crucial for this conditional 
probability is whether the strings a and b have at least n X-agreements and at least Z-agreements. We want to give 
this condition a formula as follows. Imagine Alice and Bob want to count their X- and Z-agreements. To do so, they 
can first determine the string a Ab, given by 


aAb:={aA)T=i- (C 28 ) 

The Tth entry aA of a A & is 1 if the corresponding bits and bi are both 1, i.e. if they had a Z-agreement, and 0 
otherwise. Hence, to count their Z-agreements, they can sum up the components of a A 6: 

m 

number of Z-agreements = ^ aA = |a A 6| . (C29) 

Therefore, the condition that Alice and Bob had at least k Z-agreements can be expressed as 

|a A 6| > k . (C30) 

Likewise, the condition that they had at least n A-agreements can be written as 

|a A 6| > n, (C31) 

where for a string a S {0,1}™, we write 

a = (l-a.)™ie{0,ir. (C32) 

Taken together, the quota check condition reads 

|aA6|>n and |aA6|>fc. (C33) 

In the case where condition (C33) is not satisfied, Alice and Bob abort, and therefore it must be that (u, v) = (T, T). 
We can write this as 

V(a, b) S {0,1}™ X {0,1}™ such that (|a A 6| < A: or |a A 5| < n) : Puv\ab(u, v\a, b) = x(u = v =T), (C34) 

where x is the indicator function, which evaluates to 1 if its argument is true and which evaluates to 0 if its argument 
is false. 

For (a, b) G {0,1}"* X {0,1}"* such that condition (C33) is satisfied, the conditional probability PcivjAB is a little 
more difficult to write down. In that case, both u =T and v =T are impossible. Moreover, only those u G {0,1}™ 
are possible which are subsets of Alice and Bob’s A-agreements, i.e. which satisfy 

Ui = 1 => Qi = bi = 0 \/ i G [m]. (C35) 

Note that 

V(a, b, u) G {0,1}™ X {0,1}"* X {0,1}™ : {m = 1 Oi = bi = 0) ^ \aAbAu\=n. (C36) 

Hence, the condition that it is a subset of the A-agreements simply reads 

|aA6Ait|=n, (C37) 

and likewise, the condition that u is a subset of the Z-agreements reads 

|a A 6 A uj = k . (C38) 

Hence, in the case where (C33) holds, only those {u,v) G {0,1}™ x {0,1}™ are possible for which 

|aA6Ait|=n and |aA5Ai;| = A:. (C39) 

We can combine the two conditions in a single formula: 

V(a, b, u, v) G {0, ir X {0,1}"* X {0,1}™ X {0,1}^ : 

(la A 6 A it| = n and \aAbAv\=k) la A 5 A ill -I- |a A 6 A uj = Z , 


(C40) 

(C41) 
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where I := n + k. If this condition is satisfied, then the pair u is a subset of the X-agreements. Since the number of 
X-agreements is given by la A fel, we have that 


number of subsets of X-agreements of size n 



(C42) 


Since Alice and Bob are discarding surplus fully at random, each such subset is equally likely, and thus, has a 
probability of Arguing similarly for v and noting that the choices of u and v are independent when the 

quota condition is passed leads to 


V(a, b) € {0,1}™ X {0,1}’" such that \a Ab\> k and |a A 6| > n : 

Puv\ab{u, u|a, b) = x(it ^_L, v ^_L, \aAbAu\ + |a A 5 A u| = 1) 

These two cases fully determine the conditional probability, i.e. (C34) and (C43) determine Puv\ab for all (a, b) G 
{0,1}™ X {0,1}™, namely: 


^aAb\\^ J^|aA5|y^ (C43) 


Puv\AB{u,v\a,b) 


X{u = V =_L) 

x{u ^-L, V ^_L, la A 5 A ul + |a A 6 A u| 


if |a A 6| < fc or |a A 6| < n 

if |aA6|>fcand |aA6|>n 

(C44) 


We can write this as 

Puv\ab{u, v\a, b) = x(|a A 6| < A: or |a A 6| < n)x{u = v =_L) 

+ x(|a A 6| > fc and |a A 6| > n)x{u ^-L, v ^_L, |a A 6 A u| + |a A 6 A u| = 1) 
= x(|a A 6| < A: or |a A 5| < n)x{u = v =_L) 

+ x(u ^-L, V ^_L, |aA6AM| + |aA b A v\ = 1) 




(C45) 

|aA5|\ ^ 

k ) 

(C46) 


where the last equality follows form 

u ^_L,u yf_L, |a A 6 A a| + |a A 6 A u| = / |aA6 |>A:and |aA6 |>n. (C47) 

Taking (C23), (C26) and (C46) together, we get 


PABUv{a,b,u,v) = ^x(|a ^1 < or |a A 6| < n)x(a = u =T) 

/ / I / I I- T I I 7 I 

+ x(m ^T, u |a A 6 A u| + |a A 6 A u| = ^) M 'j ( ^ j )' 

(C48) 

This concludes our formalization of (fiABUV: Pabuv)- 

Definition 4: We define the discrete probability space {flABUV> Pabuv) by equations (C22) and (C48). 


3. Marginalization to {fluv,Puv) 
Definition 5: We define the probability space {fluv^Puv) by 

fluv-.= UxV= ({0, U {T}) X ({0, l}r U {T}) 

Puviu,v):= ^ PABUvia,b,u,v). 
a,bGA.xB 


(C49) 

(C50) 
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Proposition 6: It holds that 


n — l m—n^ m niin{m—n^,k—iy 


Uz—O Ux—TL Uz—O 

m—k m—nx 


Puv{u,v) = x{u = v =±) \ 

Uz—i 

m — l \ f m — k — n. 

- k 


m \ m — 


Tin 


X \cym—nx—nz m-\-nx—nz^m—nx-\-n 




Pz 


x{u ^±,v ^±,\uAv\ =0) E E 


'nx=n. n^=k 


rix-n 


^ i om—Tlx—m+ria;—m—na;+n3 / 


-1 / X -1 

n. 


Proof. To show equation (C51), we need to show three things: 


n—l m—n^ m min{m——1}' 


Pc/y(_L,_L)= E E + E E 


>na ;=0 riz—O Ux—n Uz—O 


m \ ( m — ria 


^ \ nm—rix—m+na;—rig m—ria^+ris 


V(u,u)G{0,l};rx{0,l}^: 


m—k m—Tix 


Puv{u,v) =x{\uAv\=0) ^ 


Ux—n riz—k 


-i 


.-k-' 


klx — TlJ \ Tlz — k 


^ \ cym—rix—nz ^m-\-nx—nz ^m—nz-\-nz I 


V(u, v) G ({T} X {0,1}^) U ({0,1}™ X {T}) : Puv{u. v) = Q- 
We start with showing (i). We have that 


-Pgv(-L,-L)= ^ PABUv{a,b,lL,l.) 

{a,b)^Ay.B 

= E <fcor |aA&| <n) 

(a,fc)G-4xS 

= E 


p2m-|a|-|h|pH + |b| 


where 


Tabort = {(a, b) G {0,1}™ X {0,1}™ I |a A 5| < fc or |a A &| < n} . 
We can partition Fabort as follows: 

Fabort ~ I_I '^z) j 

("x,ni)eAbort 

where the “square cup” U stands for disjoint union (the union of disjoint sets) and where 


(C51) 

(i) 

(ii) 

(hi) 

(C52) 

(C53) 

(C54) 

(C55) 

(C56) 


4bort = {{nx, n^) e {0,... ,m} X {0,... ,m} \ Ux + < m, {rix < n or < k)} , (C57) 

T{nx;,n^) = {{a,b) G {0,1}™ x {0,1}’" | |a A 6| = Ux, |a A 6| = n^} . (C58) 

Hence, 

PuviP,P)= Y. E (C59) 

("xiraileAbort (a,b)&r{n^,ny 


The set F(na;, riz) consists of all (a, b) G {0,1}™ x {0,1}™ with exactly rix ^-agreements and exactly rij Z-agreements. 
For these strings, 


V(a, 6) G T{nx,nz) 


-I^lpl“l + I'>l = p277xp27t2 

(C60) 



_ m+rix-riz ^m-nz-\-nx 

Px Pz 1 

(C61) 

so equation (C59) simplifies to 




Puv{-L, -L) = 

E 


(C62) 


(ttj; ,77,2 ) C Abort 


27 


The number \T{nx,nz)\ of elements of T(nx,nz) is given by 


\T{nx,n.)\ = {'^]r 


(C63) 


This can be seen as follows: (™) is the number of possible distributions of the Ux X-agreements over the m rounds, 
and is the number of possible distributions of the Z-agreements over the remaining m — Ux rounds. For 

the rounds where the strings have basis agreement, they are fully determined, but for i in the remaining m — Ux — 
rounds, we can have that either ai — 0 and bi = 1 for a basis disagreement or = 1 and bi = 0. Thus, there are 
two possibilities for every disagreement, which explains the factor Combining equations (C62) and (C63) 

yields 


rixJ \ n 


-Pc/v(-L,T)= ^ 

(^Tlx 5 Tig ) ^-^abort 

(n —1 m—rix m min(m—na;,fc — 1 ) 

E E+E E 

rix—O riz—O rix—n riz—0 


^ \ (^Tn—rix—nz m-\-nx—nz ^m—nz-\-Tix 

^ Px Pz 


m \ m — Ur, 


Ux \ n 


^ \ nm—rix —Tis^TTi+ria; —rig m—riaj+ris 


(C64) 

(C65) 


where the last equation follows from splitting up /abort ii^to the two respective sets. This shows (i). 
We proceed with showing (ii). We get from equation (C48) that 


V(u,u)e{0,l};rx{0,l}^: 

P^y(^u,v)= |aA6Au| + |aA6Au| =0 

(a.h)G{0,l}™x{0,l}'" 


(C66) 


aA6|\ /|aA6| 

n J \ k 


— ^ p2m-|a|-|h|pH + |b| 


aA6|\ /'\aAb\'' ^ 


k 


{a,b)^^{u,v) 

where 

4)(m, v) = {(a, b) e {0,1}™ X {0,1}"* | |a A 6 A u| + |a A 6 A u| = Z} 
In analogy to the way we split up Fabort above, we now split up ^(u,v): 

$(u,u)= |_| ^{u,v,nx,n:^), 

,nz')G^Ipa,sB 


(C67) 

(C68) 

(C69) 

(C70) 


where 


This gives us 


/pass = {{nx, n^) G {0,... ,m} X {0,... ,m} \ Ux + < to, Ux > n, > fc} , 


V(u,u)e{0,l}-x{0,l}^:Pc/ybw)= E E 

(»i:,'rt2)G/pasia (»,&)G<(>(u,«,na, ) 


p2m-\a\-\b\p\a\ + \b\ 



(C71) 

|a A 6| = Uz} ■ 

(C72) 

|aA6|\ /|aA6p 


n ) \ k ^ 

) 

(C73) 


Again, in analogy to our calculation of Pijy(u, v), the sets 4>(u, v, Ux, riz) are sets on which the summand in equation 
(C73) is constant. More precisely, for every {a,b,u,v) G {0,1}™ x {0,1}™ x /pass, it holds that 


V(a, b) G $(u, V, nx,n,) : p2m-|a|-|b|p|a|+|b| 


_ Tlx -1 

a A & 


a Ab\ 
k 


= Px''^Pj"‘iPxPz) 


m—nx — riz I 

n 


nx \ friz 

k 


_m+n.T- —//z //z +//z 

= Px Pz 


(C74) 

(C75) 
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This leads us to determining the size of u, n^;, riz). In words, this set contains all pairs (a, b) G {0,1} -x{0,l}- 
with Ux X-agreements and Uz ^-agreements such that n X-agreements are located where Ui = 1 and k Z-agreements 
are located where Vi = 1. The size of this set is 

Mu, V, nx,nz)\ = xiW Av\=0)('^~^)h~^ " . (C76) 

\nx -nj \ nz-k ) 


This can be seen as follows. If |mA?;| ^ 0, there cannot be any {a,b) G {0,1}™ x {0,1}™ such that |aA6Au| -I- 
|aA5Au| = I, and hence the set must be empty in that case. This explains the factor x(|uAu| = 0). For those 
{u,v) G {0,1}™ X {0,1}™ for which |uAu| = 0, the strings (a, 6) G ^{u,v,nx,nz) are determined on n + k = I 
positions by u and v. On the remaining m — I rounds are partitioned into Ux — n rounds of X-agreements, Uz — k 
Z-agreements and m — Ux — nz disagreements. There are such partitions. Finally, on each position 

of the m — Ux — riz disagreements, we have the two possibilities (a^, bi) = (0,1) and (a^, bi) = (1, 0), which contributes 
the factor 2™“"^“"*. Taking equations (C75) and (C76) together, we get 


V(u,u)G{0,l}™x{0,l}^: 
Puv{u,v)= 'V x(|uA'u|=0) 


E 

(tIx ,71,2 ) G/pass 


= xi\uAv\ = 0) 


m—k Tn—Ux 

E E 

rix—n Uz—k 


. — k — 1 

rix — nj \ Hz — k 

m — l \ f m — k — 
nz-k 


X \ 0771 —rix—Tig m + ria,—712 ,^771 — 712+71 




Pz 


^ \ 0771 —71^ — rig „771+71a; — Tig „771 — Tlg+Tlg 


(C77) 

(C78) 


This shows (ii). 

The remaining case (iii) is easily shown. It follows directly from (C48), because 

V(m, v) G ({-L} X {0, 1}™) O ^{0, 1}™ X {-L}^ : x(m = v =T) = x(w ^T, v ^T, |a A 5 A u| -I- |a A 6 A u| = 1 ) = 0 . 

(C79) 

This shows (iii) and therefore completes the proof. □ 


4. Formalization of 0 and derivation of Pq 

We have derived the probability space {iluv,Puv) as demanded in Appendix Cl. Now we are left to define the 
random variable 


{u,v) I—>■ 

and to derive an expression for 


0 : ^uv —^ co(0) 

h{u, v) if (u, v) G {(u, v) G {0,1}™ x {0,1}^ | |m A u| = 0} , 
T otherwise. 


Pe : co(0) ^ [0,1] 

^ ^ Puv{u,v). 

(t?) 


(C80) 


(C81) 


The range co(0) of 0 is given by 

co(0) = {O,l}}u{T}, (C82) 

where an element of {0,1}{ is a sifted basis choice string as in LCA sifting and where we set 9 =T in the case where 
Alice and Bob abort the protocol. 

To derive the random variable 0, assume that Alice and Bob arrived at strings {u,v) GU xV. How do these two 
strings determine the sifted basis choice string -dl Let us first assume the case where (tt, v) G {0,1}™ x {0,1}™ such 
that |u A u| = 0. The relevant set of indices in this case is the set of round indices r for which Ur = 1 or Vr = 1: 


a(u, v) := {r G {0,1}™ | Ur = 1 or Ur = 1} . 


(C83) 
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Note that \a{u^ t!)| = n + k = 1. For i G we define 

ai(u, v) := the i-th element of a(u, v). (C84) 

With this notation at hand, we can determine 'd from u and v as follows: for i G [/], we have that = 0 if Ua^(u,v) = 1 
and = 1 if Va^{u,v) = 1- (Note that for i G [/], it always holds either Ua-(u,v) = 1 or Va:-(u,v) = !> but never both, so 
this is well-defined.) We can write this in terms of a helper function h as 


h: {(u,u)G{0,l}™x{0,l}^||wA^;| = 0} ^ {0, l}i 

{u,v) 1 -A {K{u,v))\^^, 


where 


hi{u,v) 


0 if Uai{u,v) 1 : 

1 if 1 . 


(C85) 


(C86) 


This determines 0 for all (u,v) G {0,1}™ x {0,1}™ such that |itAu| = 0. However, since these are the only pairs 
{u,v) for which a sifted basis choice string d G {0,1}} is generated, we just let 0 send all other pairs {u,v) to _L: 


0 : UxV -G co(0) 

( \ ^ \Hu,v) if (u,u) G {(u,u) G {0,1}™ X {0,1}^ I |uAu| = 0}, 

( li, V ] I 7 < , 

_L otherwise. 


(C87) 


This way, pairs {u,v) are mapped to T which cannot occur in the protocol (e.g. (T,6) with b G {0,1}}). This is 
unproblematic, because for these pairs, Puv{u,v) = 0, so according to equation (C81), they do not contribute to Pq. 

Definition 7: We define the sifted basis choice string random variable 0 on Vljjv by equation (C87). Its associated 
probability mass function Pq is given by (C81). 

We are ready to state the result. 

Proposition 8: For LCA sifting (Protocol III), we have that 


n—1 m—n,c m min(m—rij, ,fc —1) ' 
Pabort = PeiA) = I I] I] + 


,nx—0 riz—O n^—n riz—0 


m \ m — n. 


X \ r)m—nj.—nz ,yJTi-\-nj.—nz m—nj.-\-n 




Pz 


V0e{0,l)i;PeW=(,“J E E 


m—k m—rix 


Tlx—Tl Tlz—k 


— n — k\ f m — k — r 
riz-k 


^ \ nm—ria:—rig m+Tia;—rij m— 


(C88) 



(C89) 


Before we prove 8, let us point out its importance. Equation (C88) is the probability that the sifting protocol 
aborts because Alice and Bob did not reach the quota on the X- and ^-agreements, and is therefore a performance 
parameter of the protocol. Equation (C89) is the sampling probability for each d G {0,1}}. Since (C89) is independent 
of G {0,1}}, we get uniform sampling as a corollary of 8. 

Corollary: The combination of LCA sifting (Protocol III) and SBPE (Protocol II) samples uniformly In other 
words, the LCA sifting protocol satisfies 

Pe{d) = Pe{d') Vr?,^?'G {0,1}}. (C90) 

This proves 2. It leads us to proposing the protocol as a secure alternative to the insecure iterative sifting protocol. 
Now we proceed to the proof of 8. 

Proof of 8. We first show equation (C88). By definition, it holds that 

Pe(A)= ^ Puv{u,v), (C91) 


where 

0-i(T) = ({T} X {0,1}}^) U ({0,1}™ U {T}) U {(T, T)} U {(«, v) G {0,1}™ x {0,1}^ | A u| ^ 0} (C92) 


We know from 6 that 
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V(w, v) e ({±} X {0,1}^) U ({0,1}™ U {±}) : Puv{u, v) = Q . 

Since 

V(a, b, u, v) G {0,1}"* X {0,1}™ X {0,1}™ x {0,1}™ : |w A z;! 0 |a A 5 A m| + |a A & A z;! ^ 0 , 

we also have 


V('u, z;) e {(zz', z;') G {0,1}™ x {0,1}^ | |zz' A z;'| ^ 0} : Puv(u, v) = 0 


Thus, 


Pe{P) = Puv{P,l-) 

n—l m—n^ m min(m—nj,,fc —1)'' 

= IE E+E E 

in^—O riz—O rix—n riz—O 


m \ m — Tin 


nx \ n. 


\ rym—Tix—Tiz m-\-nx—'nz ^m—nx+Tiz 


where the last equality follows form 6. This shows equation (C88). 

We proceed with showing equation (C89). We have that 

Vz?G{0,l}i: PeW= ^ Puv{u,v) 

= X! Puv{u,v), 

{u,v)^h~^{;d) 


where 

/z-i(z?) = |(u,z;)G{0,l}rx{0,l}^ 

Since |zt A z;| = 0 for all (zt, v) G h~^{'d), we know from 6 that 
W{u,v) G {u,v) G : 


|zt A n| = 0 , 

0 y '^ai{u,v) 1 j 


Z?,- = 1 


i 


= 1 


m — k m—Ux 


Puv{u,v) = XI E 


rix—n Tiz—k 


— l \ f m — k — r. 

-k 


— n j \ n 


\ rym—Ux—nz ,r\Tn-\-nx—nz m—nx-\-nz I 


nx\ n 


-1 / \ -1 


Thus, 

Vz^G{0,l}' : 

m—k m—rix / i \ / i 

Tlx—Tl Tlz^—k 


nx — n J \ Uz — k 


-1 / X -1 

nx\ Uz 


(C93) 

(C94) 

(C95) 

(C96) 

(C97) 

(C98) 

(C99) 

(ClOO) 


(ClOl) 


(C102) 


For every i9 G {0, IjJ,, the set h ^(z?) is the set of all pairs (zt, z;) G {0,1}™ x {0,1}™ such that the following two 
properties are satisfied: 

• |zt A z)| = 0, 

• for the set a(u,v) as in equation (C84), it holds for every i G [m] that zt^Au,!') = 1 if z9i = 0 and Va-(u,v) = 1 if 

Z?i = 1. 

Now note that the only thing that matters is the question which I = n + k elements of [m] form the subset 
cti{u,v) C [m]: for every subset a C [m] of size I, there is exactly one pair {u,v) which satisfies the above two 
properties such that a = ai{u,v). Hence, counting the elements of /i“^(z?) is the same as counting the /-element 
subsets of [to], and therefore 


(C103) 
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This reduces equation (C102) to 


V^e{0,l}i:P6(r?) 



E E 


fm — n — k 
V nx-n 


m — k — nx\ 
n^-k ) 


cyTn—nx—nz TrL+nx—nz m—rix+nz. 

^ Px Pz 



(C104) 


which is what we wanted to show. 


□ 
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Appendix D: Efficiency calculation 


Here we compare the efficiencies of iterative sifting and LCA sifting. Recall from Equation (22) that we define the 
efficiency 77 of a sifting protocol as 


1 = 


R 

M ’ 


(Dl) 


where R is the random variable of the number of rounds that are kept after sifting and M is the random variable of 
the total number of rounds performed in the loop phase of the protocol. The efficiency 77 depends on the particular 
history of the protocol: different runs of the protocol may have different efficiencies. Therefore, 77 is a random variable. 
In the following, Rj and Mj denote the random variables R and M for the iterative sifting protocol, and Rl and Ml 
denote the corresponding random variables for the LCA protocol. Whereas in the case of iterative sifting, the number 
Rj is fixed and the number M/ is a random variable, the opposite is true for the LCA sifting protocol, where Ml = m 
is fixed but but Rl is a random variable. (Note that the LCA sifting protocol may abort, in which case Rl = 0). 


To compare the efficiencies of the two protocols, we calculate the expected value of 77 in each case. We first do this 
for the case of iterative sifting. Recall that A^, is the random variable of Alice’s and Bob’s basis choice in round 
r, respectively, and that Nd is the number of basis disagreements. Then we have: 


<’“> = < w, 


= {n + k){ — 


= {n + k) ^2 —PMi{m) 

m—n-\-k 

00 ^ m—n—k 

= {n + k) ^ ^ PMiNi{rn,nd) 

m—n-\-k Ud—O 

00 ^ m—n—k 


= {n + k) J 2 - {PMiNdArr^Bm.i'^^ 0, O) + PM i N1 ? 1)) 


m 

m—n-\-k nd—Q 

00 ^ m—n—k 


m — 1\ f m — Ud — 1 
77,-1 


777 — l\/^777 — 77^— 1 

k-1 


m—n-\-k ^d—O \ 

{plr-’^-^Hpl)22p.P.r\ 

= in+k) ± 

^ 777 \ n-d J \ \ n-1 y 

m—n-\-k nd—0 \ 


(D2) 

(D3) 

(D4) 

(D5) 

(D 6 ) 

(D7) 


(D 8 ) 
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For the case of the LCA sifting protocol, we have: 


(vl) 


Ml 


1 

m 

1 

m 

1 

m 


(Rl) 

(n + k)P[Nx > n A Nz > k] 

m—n—k 

(n + k) P[Nx > n A Nz > k A = d] 


nd=0 


n + k 
m 

n + k 
m 


m—n—k m-Ud — n 

E E P[Nx >nANz=nzANa 

Ud—O Uz—k 
m—n—k m—nd — n 

nd—O nz—k 


nd 


nd] 




(D9) 

(DIO) 

(Dll) 

(D12) 

(D13) 

(D14) 


The calculation of the expected efficiencies (D8) and (D14) requires a lot of computational power. We wrote programs 
that compute numerical lower bounds on {rji) and {rjL) for the case where the probabilities are symmetric (px = Pz = 
1/2) and where the quotas coincide {n = k). A plot of these lower bounds is shown in Figure 3. In order to plot the 
lower bound on (pl), a choice for m had to be made for each value oi n = k. Our program choses an m which is 
likely to maximize the expected efficiency for the given value of n = fc. Note that 1/2, being the expected fraction of 
basis agreements, is an upper bound on the expected efficiencies. Hence, Figure 3 indicates that the difference in the 
expected efficiencies becomes insignificant for practically relevant values of the block length n + fc. This means that 
replacing iterative sifting by LCA sifting is unlikely to have a significant effect on the key rate of a QKD protocol. 
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Appendix E: Proof of the sufficiency of the formal criteria 


In this appendix, we prove that the two formal criteria for good sifting, (1) and (2), are sufficient for good sifting in 
the sense that the relevant statistical inequality, ( 6 ), follows from these two conditions. In other words, we prove 3. 


Proof of 3. According to Bayes’ Theorem, we have that 


Ptail — .P[Akey ^ A test M I -^test ^ Qtol] 

_ .P[Atest ^ Qto\ I Akey ^ Atest “t" p].P[Akey ^ Atest “t” p] 


.f^[Atest ^ ^tol] 


< 


-P[Akey ^ Atest + 

Ppass 


We define the total error rate Atot as the random variable 


Atot : ^zz'0 


[ 0 , 1 ] 




ziB z . 


i=l 


For all (z, ^', 1 ?) S ^zz'e, it holds that 


Akey(2, > A test (z,z,i?)+p 


1 , ^ 1 ^ 

^ i=l ^ z=l 

- '&^){Zi®zl) 0 “ 'di){Zi®z'fj > 0 z') 0 2 :') 0 p 

2=1 2=1 2=1 2=1 


1 1 


+ i: Ee-«fe® 4 >T:E( 


Zi © Zj + /i 


2=1 


2=1 


7 (1 + ]:) Ee - ® -:) > 7 7 El® ® ®') + 7 ^ 

^ ^ 2=1 2=1 


Akey( 2 , > Atot( 2 ,^,ll) 0 yP- 

We express the error rates Akey, Atest and Atot in terms of the error numbers Skey, ^test and Xltot? 

^key — n,Akey j ^test — ^Atest 5 ^tot — ^Atot ■ 


This gives us 


Therefore, 


and hence 


Akey ^ Atot ^ ^ 


^key ^ “n 


^tot ^ n 


Ttail 


l^l^key > Atest + M] — -P [^key > Tl {pT' ® 
P[Ekey>n(^ 0 'f^p)] 


Ppa 


X^o-tot l^[^tot — O’totjP [^key ^ ^ ® I “ 0ot] 

Ppass 

P[^tot = <7tot] "Yh-i P [^key = j \ Etot = 0ot] 


(El) 

(E2) 

(E3) 


(E4) 

(E5) 

(E6) 

(E7) 

(E8) 

(E9) 

(ElO) 

(Ell) 

(E12) 

(E13) 

(E14) 

(E15) 

(E16) 


Ppass 
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where the sum over j ranges over all possible values of E^ey that are larger or equal to the according value, i.e. 


J = 



I — n 
I 


where [ • ] denotes the ceiling function. 



I — n 
I 




7) ■— ^ [^key — j \ Etot — ^tot] 

_ .P[Ekey — j ^ Etot — f^tot] 

-f^[Etot ~ ^tot] 

_ Pzz'e{z,z','d) 

Pzz'e{z,z\-d) 


where 

= {iz,z','d) e D,zz'e I ^keyiz,z',■&) = j A Etot ( 2 :, 2 :', I?) = CTtot} , 
^<Ttot = {{z,z','d) e flzz'0 I T.tot{z,z\'&) = CTtot} ■ 


It holds for all {z,z','&) G flzz'O that 

Pzz'oiz, z','d) = Pzz'iz, z')Pe{'d) 
= Pzz'iz, z')c. 


(E17) 

(E18) 

(E19) 

(E20) 

(E21) 


(E22) 

(E23) 


(E24) 

(E25) 


where Pzz' and Pq are the according marginal distributions of Pzz'e- Equation (E24) follows from (2), and Equa¬ 
tion (E25) follows from Equation (1). This implies 


where 


h{atot,l,n,j) 


Pzz'{z,z')p 

Pzz'{z,z') 

Ei..').rJPzz>iz,zXT)tn-7) 

E(.,z')er^^^^Pzz'{z,P){l) 

(T) Q" 


(E26) 

(E27) 

(E28) 

(E29) 


r 


tot 


(^,/)e{o,i}'x{o,i}' 


I 

^ Zi © z' = 


t i=l 

Equation (E29) means that h(CTtotj j) is a hypergeometric distribution, 
distribution, 



(E30) 


We are interested in the tail of this 


j^d 

because according to Equations (E16) and (E17), 

ScTtot ^ptot = CTtot]^^(CTtot, d) 
Ptail < —— , 
Ppass 

where 



(E31) 


(E32) 


(E33) 
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There are several well-known bounds on the tail of a hypergeometric distribution [24]. For our case, Serfling’s bound 
is a suitable one [25]. The appropriate special case of Serfling’s bound for this case reads 

H{atot,l,n,d) <expf-2- —(E34) 
\ i t — n -|- 1 J 


(Instead of Serfling’s bound, one may use Hoeffding’s bound [26] . That bound is weaker than Serfling’s bound in this 
case, but it has the advantage that it has been formulated directly in terms of hypergeometric distributions [27, 28], 
so these references are easier to understand in our context.) Inequalities (E32) and (E35) together imply 

. .. m tot ^tot]-^(^tot 7 ^7 ^7 

Ptail < -^- 

Ppass 

^ exp(-2^^M^) 

Ppass 

which completes the proof. □ 


(E36) 

(E37) 






